Jschogel, Thank you for your response: this is the right direction! Note: the two "source types" have been designed "manually" in each Splunk install/instances and the names/description as you have well seen in the event are effectively different, but this is just naming difference. The *intent* was to have exact same settings. Upon investigations, i can see a difference in the "/etc/system/local/props.conf" file. ### Instance with WRONG Counts: [mule-service-audit-json] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIMESTAMP_FIELDS = logTimestamp category = Structured description = Mule application logging service audit pulldown_type = 1 disabled = false ### Instance with RIGHT Counts: [mule-service-audit-json] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIMESTAMP_FIELDS = logTimestamp category = Structured description = Mule application logging service audit disabled = false pulldown_type = 1 The only difference is the explicit mention of "KV_MODE = none" in the instance RIGHT config. I have upgraded the instance with WRONG stat counts with this additional property in the prop.conf, and the counts are now CORRECT. Special thx to you. I am not sure how i introduced this difference while manually creating the source type configuration. I may have clicked on some Advanced setting by mistake and delete the KV_MODE=non property. I understand that IF KV_MODE is not set, then Splunk will assume a value of "AUTO", with an automated detection of KV expressions. This triggered the multiple extractions. I also understand that "KV_MODE=json" should not be put TOGETHER with "INDEXED_EXTRACTIONS = json", as it could result in duplicate extraction. So i have left the KV_MODE=none. Thank you very much and kind regards. -Florent.
... View more