Hi,
I currently have the following configuration:
--> rsyslog server (with splunk forwarder) --
/ \
Many linux Servers -- --> Splunk Indexer/Search Head
\ /
--> rsyslog server (with splunk forwarder) --
All Linux servers have their rsyslog clients configured to forward a copy of each log entry to both of the central rsyslog servers, thus the splunk forwarders are then forwarding both copies onto the Splunk Indexder which creates a duplicate entry for each event. Given this setup is there any way of configuring Splunk to automatically remove the duplicate log entries this setup is generating (aside from disabling one of the splunk forwarders on one of the rsyslog servers)
Cheers,
Tom
... View more