Hi there,
I am new to Splunk and have sent some dummy JSON-data to Splunk.
I notice that for example there are 20 events in Splunk, but when I look at the message.ip field, then it shows a count of 40. The strange thing is that with all field names, this is happening. It is all exactly 200%.
How is this possible?
EDIT: Even when I focus on 1 event, the event field will have a count of 2.
The event is:
{"message":{"event":"contentview","sessionID":"8cae4663-7a0d-f8a6-067f-71750f3674b5","userID":"3244430d-64a6-caeb-6e88-723409401f72","elementTagName":"NA","elementValue":"NA","elementName":"DVHN","ip":"::1","ua":{"ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1","browser":{"name":"Mobile Safari","version":"9.0","major":"9"},"engine":{"version":"601.1.46","name":"WebKit"},"os":{"name":"iOS","version":"9.1"},"device":{"model":"iPhone","vendor":"Apple","type":"mobile"},"cpu":{}}},"severity":"info"}
Thanks.
Hi @Anonymous,
Do you have this props.conf on your search head? If not please try below on search head;
KV_MODE = none
AUTO_KV_JSON = false
This worked in our case.
Thank you
If you have json field extraction at index time via
INDEXED_EXTRACTIONS = JSON
You need two additional lines to solve this problem
AUTO_KV_JSON = false
KV_MODE = none
Then stats are correct.
Try adding index=foo | spath = field_that_is_appearing_twice
@JosIJntema - Did the answer provided by briancrandall help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
I was running into this issue and thought I'd post a comprehensive solution in addition to somesoni2's nudge in the right direction. First thing, yes, I was using indexed extractions. The problem is that in etc/system/default/props.conf you find this:
`[default]
AUTO_KV_JSON = true`
This means that by default Splunk is doing search-time extractions on all JSON. I added a stanza to etc/system/local/props.conf to turn that setting off for my data:
[my_sourcetype]
AUTO_KV_JSON = false
And that fixed the problem. Hopefully this helps other folks that come across this and saves them some time.
Seems like the fields extraction is done twice for your json data. Check the props.conf for your source type, it may have both INDEXED_EXTRACTIONS and KV_MODE (search time field extraction, preferred) property set. You should use any one.
Hi
I have not found any of the above statements being correct.
I am still getting the same error.
My settings are:
super:source:type
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = @t
category = Custom
description = Superlogs that gets counted twice
disabled = false
pulldown_type = 1