Splunk Search

Added _meta to default result in double counts.

rbal_splunk
Splunk Employee
Splunk Employee

unable to search data using SPL

index=test ssp=3538

following search does return the result

index=test ssp=*3538

To resolve the issue implemented

Fields.conf
[ssp]
INDEXED = True

After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.

Tags (2)
0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

To see duplicate usedvalue for filed as used

index=test ssp=3538 | eval A=mvcount(ssp) | search A=2

Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate

We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.

It will be notice toe document it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...