×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kathhuynh
Explorer
Member since: ‎11-01-2021
‎03-04-2022
Community Statistics
Posts 7
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎11-01-2021
Activity Feed
View All

Re: Why does json data get duplicated after tablin...

by in Splunk Cloud Platform
‎03-04-2022 05:50 PM
1 Karma
‎03-04-2022 05:50 PM
1 Karma
I tried replicating the sourcetype settings here and it did not work for my case: https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459   However, since this data is coming from the Splunk On Call webhook, I found a solution: I removed the AUTO_KV_JSON and INDEXED EXTRACTIONS settings and KV_MODE=json and the data is coming in with the correct format and not duplicating. [mysourcetype] KV_MODE = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured disabled = false pulldowntype = true I'm guessing the reason why it didn't work before is that INDEXED_EXTRACTIONS "settings change the defaults for other settings in this subsection to appropriate values". It must have conflicted with my inputs.props and the other sourcetype settings somehow. ... View more

Re: Lookup File Limits

by in Splunk Cloud Platform
‎11-08-2021 04:33 PM
‎11-08-2021 04:33 PM
Hello, On our cloud stack, splunk support defined a limit of 50 MB for the lookup files. I guess this might be variable.   Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2022 09:11 PM
Karma from
View All
Karma given to
View All