https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623029#M107221 <P>Hehe <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />Alright, thanks for your input!</P> Fri, 02 Dec 2022 13:40:32 GMT zapping575 2022-12-02T13:40:32Z https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623013#M107216 <P>Dear all,</P><P>I have the use case that my splunk universal forwarder does not continuously monitor my logs.</P><P>Because of this nature, I am using batch mode to have the files deleted after ingestion.</P><P>Now, I occasionally receive log files which I have already received at an earlier point in time.</P><P>Problem is: The features crcSalt, initCrcLength etc. are only available in monitor mode. This means that I am not able to benefit from splunks features to prevent duplicate ingestion of the same data.</P><P>Any help on a solution for this is greatly appreciated.</P> Fri, 02 Dec 2022 11:41:42 GMT https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623013#M107216 zapping575 2022-12-02T11:41:42Z https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623024#M107218 <P>I'd try writing some external "helper" script which keeps track of files.</P><P>But the question is why don't you use monitor input? Unless you absolutely need the sinkholing functionality and can't get around it another way (like logrotate or such).</P> Fri, 02 Dec 2022 12:55:04 GMT https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623024#M107218 PickleRick 2022-12-02T12:55:04Z https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623025#M107219 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a></P><P>Thanks for your reply.</P><P>I think also that keeping track of files is something that I will have to implement myself.</P><P>I was just hoping to be able to use what splunk has.</P><P>On why not using monitor inputs:</P><P>I have a http endpoint that receives log files from another system and extracts them to disk, where the forwarder then picks them up. I could use monitor mode, but because there is no log rotation or similar it will ultimately result in filling up the disk.<BR />What is charming about batch mode is that it ensures that the disk space is free again after a new file has been completely ingested.</P> Fri, 02 Dec 2022 13:16:03 GMT https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623025#M107219 zapping575 2022-12-02T13:16:03Z https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623028#M107220 <P>Yeah, but you end up with duplicates <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>If you can assure that there is a maximum possible period for duplicate creation, you could get away with monitor input and external script to clean up the directory of files older than given time. - that could be an alternative approach (probably easier to implement).</P> Fri, 02 Dec 2022 13:37:15 GMT https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623028#M107220 PickleRick 2022-12-02T13:37:15Z https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623029#M107221 <P>Hehe <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />Alright, thanks for your input!</P> Fri, 02 Dec 2022 13:40:32 GMT https://community.splunk.com/t5/Getting-Data-In/Detection-of-duplicate-files-in-batch-mode/m-p/623029#M107221 zapping575 2022-12-02T13:40:32Z