https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19326#M8401 <P>In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node</P> Mon, 01 Jul 2013 06:32:56 GMT strive 2013-07-01T06:32:56Z https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19325#M8400 <P>Hi,</P> <P>We have a simple use case.<BR /> 1. Place the log file in the directory in forwarder node (LWF node). This directory is monitored for logs.<BR /> 2. Check if the data is indexed.</P> <P>I placed a log file with just 3 events. It worked fine. I checked by writing a splunk query(index=my_raw_index) on search page and it displayed 3 records.</P> <P>I cleaned the index. Placed a log file with 100 events. It worked fine. </P> <P>I cleaned the index. Placed a log file with 17000 events. When i checked my_raw_index, there were 34000 records.</P> <P>I tried again with lesser number of events. For lesser events it works fine, but not for the log files with more events. Why it is duplicating the events.</P> <P>Thanks</P> <P>Strive</P> Mon, 28 Sep 2020 13:48:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19325#M8400 strive 2020-09-28T13:48:09Z https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19326#M8401 <P>In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node</P> Mon, 01 Jul 2013 06:32:56 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19326#M8401 strive 2013-07-01T06:32:56Z https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19327#M8402 <P>In our case, it was due to file parts. Added blacklist = .(filepart)$ under monitor stanza of inputs.conf file of forwarder node</P> Mon, 01 Jul 2013 06:33:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logs-are-indexed-twice/m-p/19327#M8402 strive 2013-07-01T06:33:14Z