Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do certain searches return duplicates for some events that were only indexed once?

Murali2888
Communicator
‎01-19-2016 03:23 PM

Hi All,

I came across a weird behavior where a search head displaying duplicate events only in certain scenarios, even though the event is indexed only once. I confirmed the indexing part by checking the metadata and _indextime values for the events.

When I run the Base Search for a month period, a few events are being displayed twice resulting in invalid number of events. However, when I run Base Search | timechart span=1mon count the events are not duplicated and give the correct count.

Has anybody came across this sort of behavior and would like to understand how the search head would render events?

Thanks for your help.

0 Karma
Reply

javiergn
Super Champion
‎01-20-2016 04:18 AM

Hi,

Can you try appending the following to one of those searches returning duplicate events? More info here

yoursearch 
| eval myUniqueId = index + "_" + _cd + "_" + splunk_server 
| stats count by myUniqueId 
| where count > 1

It should return 0.

Then try the following too:

yoursearch 
| stats count by _raw 
| where count > 1

It should return 0 too.

If any of these searches is returning anything at all, can you please post how your search looks like so that we can investigate this further? If none of those events was indexed twice, they shouldn't show up twice.

If we manage to identify the duplicates we can delete them to avoid problems in future but we should try to find the root cause first.

Which version of Splunk are you running? Can you give us more information about your deployment? Is it distributed, multisite, any clustering, etc?

Thanks,
J

0 Karma
Reply

Murali2888
Communicator
‎01-21-2016 04:50 PM

Hi javiergn,

I ran those two searches and both returned no results. This confirms that the data is not indexed twice.

We are running Splunk V6.3.0 in both Search Head and Indexers in a distributed environment. The Search Head and Indexers are in different sites. Indexers are in secured environment for data protection.

We do not have any clustering deployed in SH or in Indexers. It is a single Search Head talking to 4 Indexers in distributed manner.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...