Re: Why are my json data extracted twice

rolfberkenbosch · ‎01-09-2018

My inputs.conf is:

[monitor:///var/log/grains.log]
sourcetype = grains_log
disabled = 0
index = os

My props.conf is as follows:
[grains_log]
INDEXED_EXTRACTIONS = json
KV_MODE = none

But I keep seeing double values.

Does someone has an idea what I miss here ?

ddrillic · ‎02-05-2018

-- double values

What do you mean by that? do you see the events once and twice the count of values on the fields side bar?

felipesewaybric · ‎02-04-2018

while you can find the solution, you can use "| dedup _raw" to remove duplicates,

mdsnmss · ‎01-09-2018

These questions should help answer yours. The INDEXED_EXTRACTIONS = json should be located where the data is being indexed. If the search head is on a different system from where the indexing is taking place then you will also need the props.conf for that sourcetype on the search head specifying KV_MODE = none. It's likely you are getting both index time and search time extractions for the JSON data.

micahkemp · ‎02-04-2018

You may consider converting this to an answer.

somesoni2 · ‎01-09-2018

Where does this props.conf resides? Do you've dedicated search heads?

Why are my json data extracted twice

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases