×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
john789789
Observer
Member since: ‎04-06-2022
‎11-21-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-06-2022
Activity Feed
Topics I've Started
View All

Re: Duplicated JSON fields on search

by in Splunk Search
‎11-21-2025 05:42 AM
‎11-21-2025 05:42 AM
Thank you @PickleRick for the answer. I am doing my tests on a test environment so far, so I have no issue editing system local files or such. I plan to have an app, with Global permissions, once I managed to have the correct settings.   > First things first - don't use indexed extractions unless there is absolutely no other way. so, simply removing INDEXED_EXTRACTIONS=JSON would do the trick here ? I tried to do so, and : - the fields are not duplicated (yay!) - file which contents is a json array are not supported anymore, for example [{'key1': 'val1'}, {'key2':'val2'}], while they were supposed before - the web search display some extracted key values, but there is a field named "punct" with just a list of comma / quotes / brackets, which led me to believe that the data isn't read / parsed fully > I'd check if there aren't other effective settings (host and source-based settings have precedence over general sourcetype-defined ones). Out of a quick check, I do not find anything. Is there a good way to check for everything ? Just know that, for a test only, I added the following stanza in my search head /opt/splunk/etc/system/local/props.conf [default] KV_MODE = none AUTO_KV = false AUTO_KV_JSON = false FIELD_DISCOVERY = false to try to have precedence over any other props.conf setting file, but this did not change anything.       ... View more

Duplicated JSON fields on search

by in Splunk Search
‎11-20-2025 09:00 AM
‎11-20-2025 09:00 AM
Hello,   I am running into the "common" issue of duplicated JSON fields. I use Splunk Enterprise 9.2, with an Universal Forwarder, an indexer cluster, and a search head cluster. My forwarder as the following configuration files :  /opt/splunkforward/etc/system/local/inputs.conf # Forwarder, /opt/splunkforward/etc/system/local/inputs.conf [batch:///opt/splunk_input/index_d/*] move_policy = sinkhole index= index_d source = index_d sourcetype = index_d time_before_close = 0 crcSalt = <SOURCE> blacklist = \.lock$  /opt/splunkforward/etc/system/local/props.conf  [index_d] # Universal Forwarder, /opt/splunkforward/etc/system/local/props.conf INDEXED_EXTRACTIONS = JSON KV_MODE = none AUTO_KV = false AUTO_KV_JSON = false On my search head, I directly edited the system file /opt/splunk/etc/system/local/props.conf with the following : [index_d] # Search Head, /opt/splunk/etc/system/local/props.conf INDEXED_EXTRACTION = JSON KV_MODE = none AUTO_KV = false AUTO_KV_JSON = false FIELD_DISCOVERY = false   With this configuration, I get duplicated values for all extracted fields.  I checked on my search head that those fields are correctly applied, using : splunk btool props list index_d which correctly lists the value from the props.conf file, I would assume those are correctly setup. If i edited directly the local file on the system folder, it was to avoid permissions issues as listed here  : https://splunk.my.site.com/customer/s/article/Field-Value-Type-Discrepancies-in-KV-MODE I also tried to run on the search head :    [index_d] # Commenting out the INDEXED_EXTRACTION field on the Search head # INDEXED_EXTRACTION = JSON KV_MODE = none AUTO_KV = false AUTO_KV_JSON = false FIELD_DISCOVERY = false   But no luck I spent some time reading similar questions about this topic, and sadly no solution tried so far helped me. I happily welcome any suggestion, thank you   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-21-2025 05:36 AM