https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175082#M35155 <P>This <EM>might</EM> be possible if you </P> <P>(1) Keep the same file name. In other words, overwrite the old file with the new file each hour.</P> <P>(2) Make sure that the beginning of the file (up to the point of the new data) has not changed.</P> <P>But if Splunk figures out that this is a different file, it will index it from the beginning, causing the duplication that you are trying to avoid.</P> <P>There is no way for Splunk to compare inbound data with existing data before indexing. However, it is possible to "dedup" data being retreived during a search - although you have to do it explicitly with the <CODE>uniq</CODE> command.</P> <P>I would test it out.</P> Thu, 22 May 2014 20:05:03 GMT lguinn2 2014-05-22T20:05:03Z https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175081#M35154 <P>I'm looking to come up with some configurations that filter out existing orders from files I (currently) manually copy to a local directory where Splunk then picks them up and indexes the order info for that hour.</P> <P>Each file that comes out from the AS/400 has a total of all orders with various information on that order(CustomerNumber, PONumber, Date, Time, etc.) up to that particular hour.</P> <P>Basically every time Splunk Picks up one of those files, I want it so that Splunk only indexes the NEW orders, rather than indexing the same order data from the previous hours. Otherwise, there will be a large amount of duplicate data being indexed.</P> <P>Is there a way I can do this? Let me know if any information is needed to dig in to this further.</P> <P>Thanks in advance!</P> Thu, 22 May 2014 12:29:35 GMT https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175081#M35154 _gkollias 2014-05-22T12:29:35Z https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175082#M35155 <P>This <EM>might</EM> be possible if you </P> <P>(1) Keep the same file name. In other words, overwrite the old file with the new file each hour.</P> <P>(2) Make sure that the beginning of the file (up to the point of the new data) has not changed.</P> <P>But if Splunk figures out that this is a different file, it will index it from the beginning, causing the duplication that you are trying to avoid.</P> <P>There is no way for Splunk to compare inbound data with existing data before indexing. However, it is possible to "dedup" data being retreived during a search - although you have to do it explicitly with the <CODE>uniq</CODE> command.</P> <P>I would test it out.</P> Thu, 22 May 2014 20:05:03 GMT https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175082#M35155 lguinn2 2014-05-22T20:05:03Z https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175083#M35156 <P>Awesome - thanks for your suggestions. I will some testing around it a bit more and come back with some feedback</P> Fri, 23 May 2014 18:02:51 GMT https://community.splunk.com/t5/Getting-Data-In/Configurations-that-Filters-Existing-Orders-from-AS-400-File/m-p/175083#M35156 _gkollias 2014-05-23T18:02:51Z