When I index JSON files I get duplicate entries in the Splunk index and some values are not indexed at.
Example of the JSON files:
{
"State": "value"
"TimeStarted": "03-jan-2018 10:13:29",
"RBName": "Value",
"Tower": "Value",
"RBType": "Value",
"ManualTimeToExecute": 20,
"RefGUID": "cad8efd8-58c4-4924-add7-78c8f9768b83",
"TicketDetails": {
"TimeData": "03-jan-2018 10:13:30",
"Description": "Value",
"TicketNo": "Value",
"TimeCreated": "03-jan-2018 10:13:12",
"ShortDescription": "Value",
"State": "Value",
"ClientRefNumber": "Value"
},
"Activities": [
{
"LogLevel": "Information",
"LogTime": "03-jan-2018 10:13:31",
"Completion": "Success",
"Severity": "GOOD",
"ImpactedUser": "Value",
"Condition": "GOOD",
"LogMessage": " Value",
"ActionTaskName": "Value"
},
],
"Comment": "Value",
"Completion": "Success",
"Condition": "BAD",
"EndTime": "03-jan-2018 10:13:57",
"Severity": "WARNING"
}
The JSON files contains one array which can contain upto 30 items and the file name of each JSON is unique.
The results of indexing the JSON files is:
I use Splunk 7.1 version and the default _json source type to index the files. The JSON files are hosted on the same server as Splunk is installed in a folder
Any idea how to fix the duplicate entries in the index and why some values are not indexed at all?
... View more