Getting Data In

Splunk re-indexing rolled over log file causing duplicate (two) copies of data

sfmandmdev
Path Finder

We have a log file rotation policy that rolls over based on size (64MB). For some reason, every now and then (frequent but not all the time), splunk forwarder thinks the rolled over file is a new file and ships it again causing duplicates in the indexer.

We would find the same event from filenames blah and blah.0 (rolledover file name).

Any clues what might be causing this issue?

dwaddle
SplunkTrust
SplunkTrust

How are you performing your roll-over? It is a rename or a copy?

0 Karma

hmahendrakumar
Path Finder

It is a rename.
Note: ZFS is underlying FS
Each process has a lot of threads that
write to log files protected by a mutex. So only one thread can write at a time.
When we see the file growing to exceed this size (~64MB), we acquire the mutex
blocking any writes to the file, closing the file, deleting oldest generation N (BLAHFILENAME.N)
then for (n = 0; n < N; n++) rename BLAHFILENAME.N to BLAHFILENAME.N+1
then finally renaming current log file BLAHFILENAME to BLAHFILENAME.0
then creating a new empty log file BLAHFILENAME and releasing the mutex
allowing all threads to write to the new file.

0 Karma

sfmandmdev
Path Finder

We don't have any crcSalt settings set. Also this does not happen all the time i.e All rolled over versions of the same log file are not duplicated.

0 Karma

Ayn
Legend

Do you have any particular crcSalt settings set in inputs.conf for this particular source?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...