topic Re: Universal Forwarder resending event log data in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304538#M57430 <P>Is your forwarder resending event logs again? Has any specific activity was performed on your UF like version upgrade?</P> Fri, 12 Jan 2018 17:05:57 GMT somesoni2 2018-01-12T17:05:57Z Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304537#M57429 <P>If the IP address for a host changes or if it gets a new GUID, would the forwarder resend the entire Windows event log?</P> Fri, 12 Jan 2018 16:12:31 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304537#M57429 splunkjas1 2018-01-12T16:12:31Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304538#M57430 <P>Is your forwarder resending event logs again? Has any specific activity was performed on your UF like version upgrade?</P> Fri, 12 Jan 2018 17:05:57 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304538#M57430 somesoni2 2018-01-12T17:05:57Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304539#M57431 <P>The forwarders are resending event logs. We upgraded them from 6.4.4 to 6.4.9. Would the upgrade cause logs to be resent?</P> Fri, 12 Jan 2018 17:08:15 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304539#M57431 splunkjas1 2018-01-12T17:08:15Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304540#M57432 <P>It depends. <BR /> If you uninstalled the old forwarder and then reinstalled the new one, it’s quite possible that it will re-read and send all the logs. </P> <P>If you upgraded the forwarder this should not occurr, even if the ip or guild changes. </P> Fri, 12 Jan 2018 17:19:08 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304540#M57432 nickhills 2018-01-12T17:19:08Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304541#M57433 <P>It should'nt. How did you do the upgrade (procedure)? Was it it inline with what this Splunk documentation suggests?<BR /> <A href="https://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/UpgradetheWindowsuniversalforwarder#Upgrade_a_single_forwarder_using_the_command_line">https://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/UpgradetheWindowsuniversalforwarder#Upgrade_a_single_forwarder_using_the_command_line</A></P> Fri, 12 Jan 2018 17:21:17 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304541#M57433 somesoni2 2018-01-12T17:21:17Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304542#M57434 <P>I asked the folks who performed the upgrade and they told me they do uninstall the 6.4.4 version before installing 6.4.9. So that's probably what caused the logs to be resent, would you agree?</P> Fri, 12 Jan 2018 17:24:50 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304542#M57434 splunkjas1 2018-01-12T17:24:50Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304543#M57435 <P>Yes. In that case I would say it’s expected behaviour</P> Fri, 12 Jan 2018 17:27:02 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304543#M57435 nickhills 2018-01-12T17:27:02Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304544#M57436 <P>Okay, thank you.</P> Fri, 12 Jan 2018 17:28:57 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304544#M57436 splunkjas1 2018-01-12T17:28:57Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304545#M57437 <P>I converted my comment to an answer, so you can accept it if it helped </P> Fri, 12 Jan 2018 17:32:08 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304545#M57437 nickhills 2018-01-12T17:32:08Z Re: Universal Forwarder resending event log data https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304546#M57438 <P>I noted “possible” because depending on your config, it may elect to only send evens which are older than x days, or in the case of windows events, only while the forwarder is running. Neither of these are default config, and have drawbacks. </P> Fri, 12 Jan 2018 17:34:33 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-resending-event-log-data/m-p/304546#M57438 nickhills 2018-01-12T17:34:33Z