If you have custom defined fields in a source type for ingesting JSON format logs, the fields may appear duplicated when searching the ingested log files.

This is thought to be because fields are extracted during indexing (when data is imported) and also when searching data, resulting in the same field being displayed twice.

To work around this issue, add the following parameter to the props.conf file on the Splunk server that runs the search:

Configuration File

props.conf on the Splunk server that runs the search

(Example of configuration file)

$SPLUNK_HOME/etc/system/local/props.conf
$SPLUNK_HOME/etc/apps/<App名>/local/props.conf

*Note: $SPLUNK_HOME for default installation

Linux：/opt/splunk
Windows：C:\Program Files\splunk

Settings

[<Name of source type of data with duplicate fields>]

KV_MODE = none

<Setting example>

[Source type A]

KV_MODE = none

After editing the configuration file, you can have the settings reflected without restarting the system by accessing the URL below and clicking the "refresh" button.

http://<SplunkサーバーのIPアドレス>:8000/debug/refresh