Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitored file indexed twice, How do I get it to only index once?

scottrunyon
Contributor
‎09-01-2017 06:14 AM

I have multiple monitored csv files that are created every day at different times on a single server with a Universal Forwarder. Old files are deleted and completely new files are created. Each file is indexed when created and then again at 05:30 am the next day causing duplicate data.

Looking through Splunk>answers, I found where I should add the crcSalt = line in the [monitor] section of inputs.conf. I did this for one of the files and the file is still being indexed twice.

What else should I do to stop the second indexing?

I do find it interesting that the second indexing for these files happen at the same time. Is there some config that sets that time? Just wondering.

Thanks for any help provided.

Scott

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-06-2017 08:02 AM

You have something external to splunk that is updating the file's last modified date at 5:30 AM daily. Check your crontab, backup routines, log rotation routines, etc.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-06-2017 08:02 AM

You have something external to splunk that is updating the file's last modified date at 5:30 AM daily. Check your crontab, backup routines, log rotation routines, etc.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎09-06-2017 07:26 AM

Maybe the following can help - Logging best practices

Under Use rotation policies it speaks about - ...set up good rotation strategies ...

Wiping out the log file and starting a fresh one is not a good log practice.

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎09-06-2017 08:30 AM

These are not log files. An application creates a csv file showing itemnumber, username, logon time and logoff time for the previous day at 10:30 am. Splunk indexes the file at that time. Then at 05:30 the next day, the file is indexed again.

I have 3 other csv files created by different applications, that are created at different times but the second indexing is done at 05:30.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-02-2017 11:31 AM

Fix the thing that is logging in such a silly fashion.

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎09-06-2017 05:23 AM

Could you be a little more specific? What entity should I be looking at that would be "logging in" in such a silly fashion?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...