In all probability what you’re describing is a multivalue field inside the JSON blob, and not a "duplicated" field. Please share some sample data to verify.
Are you seeing something like this in a | table?
FieldA | FieldB
^^^^^^^^^^^^^^^
BarA | FooB
| FooM
^^^^^^^^^^^^^^^
BarB | FooA
| FooG
If so, then in your JSON blob there are multiple values being tucked inside one of the key-value "pairs"
And you’ll want to mvexpand them to get a one-for-one mapping in your table thusly:
<SPL before |table>
| mvexpand FieldB
| table FieldA FieldB
<any other SPL you have>
This will yield you a table like this:
FieldA | FieldB
^^^^^^^^^^^^^^^
BarA | FooB
^^^^^^^^^^^^^^^
BarA | FooM
^^^^^^^^^^^^^^^
BarB | FooA
^^^^^^^^^^^^^^^
BarB | FooG
from User warren – Stack Overflow https://stackoverflow.com/questions/64593739/splunk-duplicated-json-fields-on-searchhead/64646589#64646589
via IFTTT