cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kathhuynh
Explorer
Member since: ‎11-01-2021
‎03-04-2022
Community Statistics
Posts 7
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎11-01-2021
Activity Feed
View All

Re: Why does json data get duplicated after tablin...

by in Splunk Cloud Platform
‎03-04-2022 05:50 PM
1 Karma
‎03-04-2022 05:50 PM
1 Karma
I tried replicating the sourcetype settings here and it did not work for my case: https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459   However, since this data is coming from the Splunk On Call webhook, I found a solution: I removed the AUTO_KV_JSON and INDEXED EXTRACTIONS settings and KV_MODE=json and the data is coming in with the correct format and not duplicating. [mysourcetype] KV_MODE = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured disabled = false pulldowntype = true I'm guessing the reason why it didn't work before is that INDEXED_EXTRACTIONS "settings change the defaults for other settings in this subsection to appropriate values". It must have conflicted with my inputs.props and the other sourcetype settings somehow. ... View more

Re: Why does json data get duplicated after tablin...

by in Splunk Cloud Platform
‎02-16-2022 11:49 AM
‎02-16-2022 11:49 AM
Thank you. Also confirmed I am searching in Verbose. Here's a snippet of the parsed fields.     ... View more

Re: Why does json data get duplicated after tablin...

by in Splunk Cloud Platform
‎02-16-2022 11:31 AM
‎02-16-2022 11:31 AM
Sorry - what do you mean by parsed fields "view"?  ... View more

Re: Why does json data get duplicated after tablin...

by in Splunk Cloud Platform
‎02-16-2022 09:37 AM
‎02-16-2022 09:37 AM
index=dev_training sourcetype=dev_alerts_logs | table * ... View more

Why does json data get duplicated after tabling th...

by in Splunk Cloud Platform
‎02-15-2022 12:47 PM
‎02-15-2022 12:47 PM
I have a Splunk On Call webhook that is using a POST request to send data to my index and sourcetype. Anytime a user enters a chat message for an incident, it will fire the webhook and data immediately gets added to that sourcetype. My issue: The raw events in the index and sourcetype show one event. However, when I table data, the values in each field gets duplicated with the same data as a multivalue field. Based on other Splunk Community questions, I've made some changes to the sourcetype settings: [mysourcetype] AUTO_KV_JSON = false INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured disabled = false pulldowntype = true This did not fix the issue like it has for others. I have tried creating sourcetypes a few different ways: 1. Going into Settings > Sourcetypes > selecting "New Source Type" and updating the settings. 2. Cloning _json sourcetype that Splunk has so I can keep the settings, but am still getting duplicate values when I table. 3 Going into Settings > Data Inputs > HTTP Event Collector > selecting "New Token" > creating a new sourcetype in "Input Settings"   I also noticed that the json events does not highlight syntax by default. Is this due to the KV_MODE being set to none? Can I set it to json without duplicating my data? ... View more

Lookup File Limits

by in Splunk Cloud Platform
‎11-01-2021 10:04 AM
‎11-01-2021 10:04 AM
I had some questions about the limits of a lookup file that I wasn't able to find when referencing documentation (below) or anywhere else in Splunk Cloud. https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/DefineaKVStorelookupinSplunkWeb What is the lookup file limit/is there a file limit when uploading directly to browser?  How long will data in lookup files be stored (do they ever get deleted after a time period?) Does joining with large lookups with OUTPUT/OUTPUTNEW have a limit to how much data is joined between the two lookups OR an index/sourcetype and a lookup? Is there a max limit for the amount of records that can be overwritten into the lookup when you run |outputlookup?   Business Use Case Example: We are ingesting logs and putting them into an index/sourcetype. We've created a search to append the sourcetype with a lookup file by an ID. This search will get updated everyday by the hour and output a new lookup. The amount of new data that gets added into the sourcetype varies in the 10s up to the 100s daily. If we keep doing it this way, the data size for the lookup on the browser will increase exponentially so I'm worried if there is a limit. Also open to recommendations on a better way of doing this. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2022 09:11 PM
Karma from
View All
Karma given to
View All