JSON data with indexed extraction on Heavy Forwarder and KV mode =none with JSON events are giving out 2 values for 1 field, I did thoroughly checked the data and also after the field extractions and I did make sure each props has the app permission under local.meta or default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system
Ran tstats count where index= json index by duplicatedvaluefield which give the correct value - 9 - for 9 events
Where as when count of values for the field with stats gives 18 - for 9 events.
Below are the conf that I used,
On HEavy forwarder:
[_json]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON=false
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N
- ON Search head -
[_json]
KV_MODE=none
AUTO_KV_JSON=false
disabled = false
On indexers
[_json]
SHOULD_LINEMERGE=false
KV_MODE=none
AUTO_KV_JSON=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N
Please help me by pointing the issue with this.
↧