Solved: Logs are indexed twice

strive · ‎04-29-2013

Hi,

We have a simple use case.
1. Place the log file in the directory in forwarder node (LWF node). This directory is monitored for logs.
2. Check if the data is indexed.

I placed a log file with just 3 events. It worked fine. I checked by writing a splunk query(index=my_raw_index) on search page and it displayed 3 records.

I cleaned the index. Placed a log file with 100 events. It worked fine.

I cleaned the index. Placed a log file with 17000 events. When i checked my_raw_index, there were 34000 records.

I tried again with lesser number of events. For lesser events it works fine, but not for the log files with more events. Why it is duplicating the events.

Thanks

Strive

strive · ‎06-30-2013

In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node

View solution in original post

strive · ‎06-30-2013

In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node

strive · ‎06-30-2013

In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node

Logs are indexed twice

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio