Over say 4hours:
index=platform host=remote-SQL*.local source=remote-SQL*
| stats count AS duplicates by checkpointValue, index, host, source, sourcetype
| where duplicates > 1
| stats sum(duplicates) BY index, host, source, sourcetype
returns something like:
platform remote-SQL1-SQL1.local remote.tlogs 50
platform remote-SQL1-SQL2.local remote.logins 1200
platform remote-SQL1-SQL10.local remote.registrations 5
The checkpointValue is a field alias I made to capture the different rising column checkpoint names which differed between the db inputs but this shouldn't be an issue since they wont be duplicate amongst the different inputs when I run the first stats command against them.
We have multiple HFs at each of our offices, but I verified that the db_inputs are not duplicated between any of these instances as well as the db_connections in the gui and .conf. There is a latency issue with the connection at the remote site since that country doesn't have the best internet, but from the _internal logs (if I'm reading them correctly) shouldn't cause an issue since Splunk knows to not duplicate events if the index, source, sourcetype and _raw is the same.
Thanks for the help!
... View more