Solved: Re: Values repeated in each field

AnujaJ · ‎04-17-2019

I am getting repeated values in Splunk fields. This can be seen only in Table view. For list view/raw there is no repetition seen. However, my search queries treat all these fields as multi-valued fields. I do not want the repeated values in the single valued field.

Values in Splunk

Props.conf
[kpi_json]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TZ=Europe/Berlin
TIMESTAMP_FIELDS=@timestamp

woodcock · ‎04-17-2019

Try these settings in props.conf on your Search Heads:

[YourSourcetypeHere]
KV_MODE = none
AUTO_KV_JSON = false

View solution in original post

AnujaJ · ‎05-17-2019

I removed Indexed extractions from the prop.conf on UF. And that resolved my issue.

woodcock · ‎04-17-2019

Try these settings in props.conf on your Search Heads:

[YourSourcetypeHere]
KV_MODE = none
AUTO_KV_JSON = false

AnujaJ · ‎04-18-2019

I have these settings on props.conf on UF. Is that the problem that I need to put these settings on SH?

woodcock · ‎04-18-2019

Yes, that is most definitely the problem.

solarboyz1 · ‎04-17-2019

It sounds like you want to dedup a multi-value field:

| eval a=dedup(a), b=dedup(b)

AnujaJ · ‎04-17-2019

This is not a multivalued field. This is a single valued field. All fields except the date field are affected. I want all the fields to appear as single valued field. The json data has getting wrongly doubled values.

solarboyz1 · ‎04-17-2019

What is the search used to generate the table

AnujaJ · ‎04-17-2019

index=kpi sourcetype=kpi_json

Values repeated in each field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases