Hello,
I noticed with the latest version of the app "Splunk for Cisco IPS" that events from my IPS are being displayed multiple times when i query a specific event in a given time frame.
I checked the sdee log on the splunk server; there is a single entry for the event in question, but when i query the same event, it is listed over an 100 times in a span of an hour.
Looks like splunk continues to read the log and display same messages again.
do you / did you by chance have the UNIX app installed at the time?
Please make sure your inputs.conf have crcSalt and followTail=1
Because the log entry can be very long, make sure the line breaks are correctly done. I used this line in my props.conf file to define the line breaks:
BREAK_ONLY_BEFORE = ^\d{15,}\s+[a-zA-Z](?:[_-]?\w)*="\d{15,}
Good luck!