Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve when data getting duplicated twice in indexers?

mpreddy
Communicator
‎11-02-2016 01:23 PM

Hi Splunkers,

I have noticed an issue in my Splunk environment:

Issue:

Data is getting duplicated twice in indexers. If i do a search in search head, the same events are coming in twice. this issue started 2 days ago, earlier there is no issue with the data.

My Investigations:

1)checked the application logs wether same log is existing twice? Answer: No
2)Checked whether this issue is happening to one sourcetype OR only for one index OR one forwarder? Answer: No it is affecting all forwarders and indexers data.

My questions:

  • Is the issue is from the Indexer cluster side?
  • Is the issue is from the forwarder side?
  • Or any other reason why it is happening? and what are the steps need to prevent it?

Thanks in advance.

Regards,
Reddy.

Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-01-2017 04:00 PM

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-01-2017 04:00 PM

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V
Reply
Solved! Jump to solution

erwan_raulet
Explorer
‎06-21-2017 08:37 AM

I have the same problem and my version is Splunk Enterprise 6.5.3. Do you have an issue?

0 Karma
Reply
Solved! Jump to solution

sreekarnapu1109
New Member
‎01-20-2020 05:28 AM

I have same issue my data is getting doubled in indexers each time a log is captured

0 Karma
Reply
Solved! Jump to solution

dxu_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 05:01 PM

are the duplicate events coming from the same bucket or different buckets? you can isolate one of the duplicate events, and then check with bucket+splunk_server the event and its duplicates are being returned from

"some_dup_event | eval bkt=_bkt | fields + bkt,splunk_server"

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-02-2016 04:32 PM

Something changed in your configuration. Did someone change outputs.conf. on the forwarders?
If no one changed the source data files, then someone must have changed a Splunk setting in some .conf file

0 Karma
Reply
Solved! Jump to solution

mpreddy
Communicator
‎11-02-2016 04:35 PM

@lguinn

We did not touched any config files in forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...