Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correct fields extracted twice ?

emallinger
Communicator
‎07-08-2021 08:40 AM

Hello,

I made a mistake during on migration on data source. I moved from csv format to json.

Suppose the migration date is day A.

On that day, I have in my props.conf (the one on the indexer cluster)

[toto]

INDEXED_EXTRACTIONS = json

When I looked at the result on the Search Cluster, the field where displayed twice.

I missed the props.conf on the SHC saying :

[toto]

KV_MODE = json.

 

So on day B : I rolled back => and deleted the "INDEXED_EXTRACTIONS" from the props.conf file on the IDX cluster.

 

Since day B : results are perfectly fine.

 

BUT :

When I look at events between A and B period => the fields are displayed twice.

I need to keep the KV_MODE on, because otherwise, I cannot extract any data when searching (no extraction made at index time before day A and after day B).

As a results, all calculus using part of period between A and B are false. I even get percentage > 100%.

 

Question is :

- do you have any idea how to fix this so the results of the splunk command will be ok (I can't believe I'm the only one to face this wall).

- is there any way to delete the extracted fields withour deleting (masking) the data ?

 

Thanks everyone,

Regards,

Ema

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎07-08-2021 09:04 PM

You cannot change the sourcetype once the data has been indexed. You'll need to delete it and re-ingest.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎07-08-2021 09:04 PM

You cannot change the sourcetype once the data has been indexed. You'll need to delete it and re-ingest.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

emallinger
Communicator
‎07-12-2021 04:04 AM

Hello,

Thanks, I'm currently doing this one.

But, I'd hoped for another solution as I keep storing "faulty" data even though it's useless.

(Plus, this is not easy doing that on prod env).

Regards,

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...