Splunk Search

Why is the field count double the amount of total events?

JosIJntema
Explorer

Hi there,

I am new to Splunk and have sent some dummy JSON-data to Splunk.

I notice that for example there are 20 events in Splunk, but when I look at the message.ip field, then it shows a count of 40. The strange thing is that with all field names, this is happening. It is all exactly 200%.

How is this possible?

EDIT: Even when I focus on 1 event, the event field will have a count of 2.

The event is:

{"message":{"event":"contentview","sessionID":"8cae4663-7a0d-f8a6-067f-71750f3674b5","userID":"3244430d-64a6-caeb-6e88-723409401f72","elementTagName":"NA","elementValue":"NA","elementName":"DVHN","ip":"::1","ua":{"ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1","browser":{"name":"Mobile Safari","version":"9.0","major":"9"},"engine":{"version":"601.1.46","name":"WebKit"},"os":{"name":"iOS","version":"9.1"},"device":{"model":"iPhone","vendor":"Apple","type":"mobile"},"cpu":{}}},"severity":"info"}

Thanks.

scelikok
SplunkTrust
SplunkTrust

Hi @Anonymous,

Do you have this props.conf on your search head? If not please try below on search head;

KV_MODE = none
AUTO_KV_JSON = false
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

Anonymous
Not applicable

This worked in our case. 
Thank you

0 Karma

pschildein
Explorer

If you have json field extraction at index time via

INDEXED_EXTRACTIONS = JSON

You need two additional lines to solve this problem

AUTO_KV_JSON = false
KV_MODE = none

Then stats are correct.

0 Karma

chumberi
New Member

Try adding index=foo | spath = field_that_is_appearing_twice

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@JosIJntema - Did the answer provided by briancrandall help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

briancrandall
Explorer

I was running into this issue and thought I'd post a comprehensive solution in addition to somesoni2's nudge in the right direction. First thing, yes, I was using indexed extractions. The problem is that in etc/system/default/props.conf you find this:

`[default]

AUTO_KV_JSON = true`

This means that by default Splunk is doing search-time extractions on all JSON. I added a stanza to etc/system/local/props.conf to turn that setting off for my data:

[my_sourcetype]
AUTO_KV_JSON = false

And that fixed the problem. Hopefully this helps other folks that come across this and saves them some time.

somesoni2
SplunkTrust
SplunkTrust

Seems like the fields extraction is done twice for your json data. Check the props.conf for your source type, it may have both INDEXED_EXTRACTIONS and KV_MODE (search time field extraction, preferred) property set. You should use any one.

0 Karma

Anonymous
Not applicable

Hi

 

I have not found any of the above statements being correct.
I am still getting the same error.

 


My settings are:

super:source:type

INDEXED_EXTRACTIONS = json

KV_MODE = none

AUTO_KV_JSON = false

LINE_BREAKER = ([\r\n]+)

NO_BINARY_CHECK = true

TIMESTAMP_FIELDS = @t

category = Custom

description = Superlogs that gets counted twice

disabled = false

pulldown_type = 1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...