I have a Splunk On Call webhook that is using a POST request to send data to my index and sourcetype. Anytime a user enters a chat message for an incident, it will fire the webhook and data immediately gets added to that sourcetype.
My issue: The raw events in the index and sourcetype show one event. However, when I table data, the values in each field gets duplicated with the same data as a multivalue field.
Based on other Splunk Community questions, I've made some changes to the sourcetype settings:
[mysourcetype] AUTO_KV_JSON = false INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured disabled = false pulldowntype = true
This did not fix the issue like it has for others.
I have tried creating sourcetypes a few different ways:
1. Going into Settings > Sourcetypes > selecting "New Source Type" and updating the settings. 2. Cloning _json sourcetype that Splunk has so I can keep the settings, but am still getting duplicate values when I table. 3 Going into Settings > Data Inputs > HTTP Event Collector > selecting "New Token" > creating a new sourcetype in "Input Settings"
I also noticed that the json events does not highlight syntax by default. Is this due to the KV_MODE being set to none? Can I set it to json without duplicating my data?
... View more