https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559495#M6396 <P>Hey codebuilder,&nbsp;<BR /><BR />the source is in the second pic, it shows all source and sourcetypes are the same for all dupicates.&nbsp;<BR /><BR />i am using the standard windows app, there is no log rotating or zip as it is purely the windows events being monitored.&nbsp;</P> Wed, 14 Jul 2021 19:51:58 GMT willsy 2021-07-14T19:51:58Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559436#M6380 <P>hello,&nbsp;<BR /><BR />i am monitoring windows event logs and ingesting them to my indexers, the issue is that even with a unique EventRecordID i am seeing multiple events in Splunk, sometimes up to 28.&nbsp;<BR /><BR />second to that, when i complete the two searches in the picture i can see that the same event is being indexed multiple times (14) between 13:33:31 and 13:36:00<BR /><BR />any help on how to rectify this issue is greatly appreciated.&nbsp;<BR /><BR />please see attached the two searches showing multiple indexed results and also multiple indexed times.&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Paste 1.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15090i81EA5B386CCAE9A8/image-size/large?v=v2&amp;px=999" role="button" title="Paste 1.PNG" alt="Paste 1.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="paste 2.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15091i0ECBBF8BE012758D/image-size/large?v=v2&amp;px=999" role="button" title="paste 2.PNG" alt="paste 2.PNG" /></span></P> Wed, 14 Jul 2021 14:19:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559436#M6380 willsy 2021-07-14T14:19:34Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559494#M6395 <P>Are your log files being rotated, such as to zip files? Duplicate events such as this can happen if log files are rotated, renamed, or compressed. Splunk will see those as new files and ingest them, unless you explicitly blacklist them.</P><P>Try adding source to your search to see what files the events are coming from.</P> Wed, 14 Jul 2021 19:48:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559494#M6395 codebuilder 2021-07-14T19:48:29Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559495#M6396 <P>Hey codebuilder,&nbsp;<BR /><BR />the source is in the second pic, it shows all source and sourcetypes are the same for all dupicates.&nbsp;<BR /><BR />i am using the standard windows app, there is no log rotating or zip as it is purely the windows events being monitored.&nbsp;</P> Wed, 14 Jul 2021 19:51:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559495#M6396 willsy 2021-07-14T19:51:58Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559498#M6397 <P>That pic doesn't include the actual source file.</P><P>Try running the following:</P><P>|tstats count where index=windows_event_log by source</P> Wed, 14 Jul 2021 20:08:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559498#M6397 codebuilder 2021-07-14T20:08:45Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559538#M6402 <P>Good morning,&nbsp;<BR /><BR />So if i did your search without specifically asking for that EventRecordID i have the three sources&nbsp;<BR /><BR />XmlWinEventLog:Application<BR />XmlWinEvenLog:Security<BR />XmlWinEventLog:System<BR /><BR />If however i do the same with that specific EventRecordID it is only aligned to source;<BR />XmlWinEventLog:Security<BR /><BR />Which means that it is coming from only one source.&nbsp;</P> Thu, 15 Jul 2021 07:32:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/559538#M6402 willsy 2021-07-15T07:32:33Z https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/580664#M11116 <P>How to resolve the issue if logs are rotated or compressed. How to blacklist them?&nbsp;</P><P>Splunk is ingesting duplicate events in my org.</P><P>&nbsp;</P><P>Help me how to fix issue if logs are rotated or compressed.</P><P>Highly appreciate your help.</P> Tue, 11 Jan 2022 17:55:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/duplicate-events-multiple-indexed-times/m-p/580664#M11116 mani1 2022-01-11T17:55:16Z