https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328641#M60978 <P>Our domain controllers were resending the entire Windows EventLog every 30 minutes. No duplicate inputs entries. No duplicate outputs entries. Using a search like</P> <PRE><CODE>host=foohost index=bar_index earliest=-1h | convert ctime(_indextime) | convert ctime(_time) | stats count list(host) list(splunk_server) list(_time) list(_indextime) by _raw </CODE></PRE> <P>would display multiple indexings of the exact same _raw message, even the timestamp. Adjusting the earliest parameter showed that it happened every 30 minutes.</P> <P>We encountered this on Splunk 6.5.1</P> <P>We tried a fresh re-install of the forwarder, no change.<BR /><BR /> We tried inspecting the checkpoint file, but it wasn't corrupt or anything.</P> Wed, 12 Apr 2017 19:50:47 GMT mmccul 2017-04-12T19:50:47Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328641#M60978 <P>Our domain controllers were resending the entire Windows EventLog every 30 minutes. No duplicate inputs entries. No duplicate outputs entries. Using a search like</P> <PRE><CODE>host=foohost index=bar_index earliest=-1h | convert ctime(_indextime) | convert ctime(_time) | stats count list(host) list(splunk_server) list(_time) list(_indextime) by _raw </CODE></PRE> <P>would display multiple indexings of the exact same _raw message, even the timestamp. Adjusting the earliest parameter showed that it happened every 30 minutes.</P> <P>We encountered this on Splunk 6.5.1</P> <P>We tried a fresh re-install of the forwarder, no change.<BR /><BR /> We tried inspecting the checkpoint file, but it wasn't corrupt or anything.</P> Wed, 12 Apr 2017 19:50:47 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328641#M60978 mmccul 2017-04-12T19:50:47Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328642#M60979 <P>Hi, <BR /> - Is the sourcetype the same? WMI enabled? Possible some other host is doing WMI collection? sourcetype would tell you that. <BR /> - If you disable inputs.conf will you still get logs? <BR /> - Check metrics.logs <BR /> - How was the UF installed? CLI installation with WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 ?</P> <P>I hope this help you debugging the issue! </P> Tue, 29 Sep 2020 13:39:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328642#M60979 abalogh_splunk 2020-09-29T13:39:01Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328643#M60980 <P>After much debugging with Splunk support, we determined that having </P> <P><STRONG>start_from=newest</STRONG></P> <P>in our configs was a primary cause of the behavior. Disabling that directive on the inputs, going back to the default </P> <P><STRONG>start_from = oldest</STRONG> </P> <P>eliminated the issue immediately. Hopefully this helps others.</P> Thu, 13 Apr 2017 16:44:21 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Windows-Event-Logs-sent-and-indexed-every-half-hour/m-p/328643#M60980 mmccul 2017-04-13T16:44:21Z