Hi there,
I am new to Splunk and have sent some dummy JSON-data to Splunk.
I notice that for example there are 20 events in Splunk, but when I look at the message.ip field, then it shows a count of 40. The strange thing is that with all field names, this is happening. It is all exactly 200%.
How is this possible?
EDIT: Even when I focus on 1 event, the event field will have a count of 2.
The event is:
{"message":{"event":"contentview","sessionID":"8cae4663-7a0d-f8a6-067f-71750f3674b5","userID":"3244430d-64a6-caeb-6e88-723409401f72","elementTagName":"NA","elementValue":"NA","elementName":"DVHN","ip":"::1","ua":{"ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1","browser":{"name":"Mobile Safari","version":"9.0","major":"9"},"engine":{"version":"601.1.46","name":"WebKit"},"os":{"name":"iOS","version":"9.1"},"device":{"model":"iPhone","vendor":"Apple","type":"mobile"},"cpu":{}}},"severity":"info"}
Thanks.
... View more