https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612109#M1757 <P>The best way to deal with duplicate records is to prevent them occurring.&nbsp; Duplicate events in Splunk consume license quota and storage so, even though there are ways to ignore dups at search time, they still bear a cost.&nbsp; Adjust your log collection process to avoid duplicate data as much as possible.</P> Tue, 06 Sep 2022 14:27:27 GMT richgalloway 2022-09-06T14:27:27Z https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/611992#M1756 <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class="">Our app is enclosed within a Docker container environment.&nbsp; We can access the app only through standard web interfaces and APIs.&nbsp; We have no access to the underlying operating system.&nbsp; So, through an API we retrieve the logs and store them on a remote server.&nbsp; We unzip them, put them in the known paths, and the Splunk UF on that device forwards them to Splunk.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class="">&nbsp;</DIV> </DIV> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class=""> <DIV class="">We retrieve our logs every hour.&nbsp; They overwrite what is there.&nbsp; This means that when seen by the Splunk UF, they appear to be new logs.&nbsp; However, within them they are the same file, just with another hour of data in them.&nbsp;</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">Could you please advise on how to deal with those seemingly duplicate log information? Is there a way to work the results in a Splunk pipe search? Or should we adjust it in our log collection process before the Splunk UF send them to the Splunk Cloud Plattform?</DIV> <DIV class="">&nbsp;</DIV> <DIV class="">Thank you.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Mon, 05 Sep 2022 22:46:34 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/611992#M1756 alexrp25 2022-09-05T22:46:34Z https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612109#M1757 <P>The best way to deal with duplicate records is to prevent them occurring.&nbsp; Duplicate events in Splunk consume license quota and storage so, even though there are ways to ignore dups at search time, they still bear a cost.&nbsp; Adjust your log collection process to avoid duplicate data as much as possible.</P> Tue, 06 Sep 2022 14:27:27 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612109#M1757 richgalloway 2022-09-06T14:27:27Z https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612127#M1758 <P>Hello Rich</P><P>Thank you very much for the advising. Is there a way I could do the logging collecting adjustment on the Universal Forwarder? I was wondering if I could make it ignore the duplicates before sending to Splunk Cloud.&nbsp;</P><P>Thank you.&nbsp;</P> Tue, 06 Sep 2022 17:16:29 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612127#M1758 alexrp25 2022-09-06T17:16:29Z https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612135#M1759 <P>The UF has no way of knowing what is a duplicate and what is not, especially if the duplication occurs across instances of an input file.</P> Tue, 06 Sep 2022 18:36:08 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/How-to-deal-with-duplicate-records/m-p/612135#M1759 richgalloway 2022-09-06T18:36:08Z