https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93477#M19439 <P>Any help would be good! </P> Fri, 13 Jul 2012 08:35:00 GMT jaterlwj 2012-07-13T08:35:00Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93474#M19436 <P>I have tested and realized that when monitoring a file with let's say 24 rows with the option "Continuously index data from a file or directory this Splunk instance can access".<BR /> I noticed that when I add a new row and refreshes. There are now 49 rows. The older 24 records are being duplicated. Is there any option to stop duplicate rows?</P> <P>Here are some specifics.<BR /> File format: .log<BR /> Specify the source:"Continuously index data from a file or directory this Splunk instance can access."</P> <P>set host: constant value<BR /> set source type: manual<BR /> destination index:default</P> Mon, 09 Jul 2012 05:31:34 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93474#M19436 jaterlwj 2012-07-09T05:31:34Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93475#M19437 <P>is your log file terminated with an end of file message, something like [END OF LOG FILE]?</P> <P>if so, this will confuse splunk. splunk uses the last 256 bytes for CRC. If you have a termination message that is constantly appended to your file, the CRC check will fail. When this happens, splunk rereads the file, thus duplicating records.</P> <P>See: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled#How_Splunk_recognizes_log_rotation">splunk log rotation</A> </P> Mon, 09 Jul 2012 13:58:22 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93475#M19437 ak 2012-07-09T13:58:22Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93476#M19438 <P>Hi thank you for your reply! But the log file that I used does not contain any end of file message!</P> Tue, 10 Jul 2012 01:28:46 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93476#M19438 jaterlwj 2012-07-10T01:28:46Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93477#M19439 <P>Any help would be good! </P> Fri, 13 Jul 2012 08:35:00 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93477#M19439 jaterlwj 2012-07-13T08:35:00Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93478#M19440 <P>check the _internal index. it appears the whole file is being reread, thus 24 + 25 rows.</P> Fri, 13 Jul 2012 14:05:41 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93478#M19440 ak 2012-07-13T14:05:41Z https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93479#M19441 <P>Hi, Thanks for your reply.</P> <P>Pardon me for my ignorance, but what should I look for under the _internal index? There's roughly 1.7m events in there. <span class="lia-unicode-emoji" title=":face_with_open_mouth:">😮</span></P> Mon, 16 Jul 2012 02:23:51 GMT https://community.splunk.com/t5/Getting-Data-In/Duplicate-records/m-p/93479#M19441 jaterlwj 2012-07-16T02:23:51Z