https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396588#M70682 <P>The tracking of duplicate input files is done by the individual forwarders. Since each forwarder does not know what other forwarders have processed, you will get duplicates.</P> Mon, 15 Jul 2019 12:39:02 GMT richgalloway 2019-07-15T12:39:02Z https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396587#M70681 <P>Hi,<BR /> I have an application that logs to a shared clustered file system.<BR /> What happens when I install the fowarder (via deployment server and identical configuation) on on each of the nodes to monitor the logs on the this file system?<BR /> Do I get duplicates for each of the hosts or can splunk identify that they are dupes even though they come from different hosts?<BR /> Would crcsalt help here?<BR /> thx<BR /> afx</P> Mon, 15 Jul 2019 09:49:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396587#M70681 afx 2019-07-15T09:49:47Z https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396588#M70682 <P>The tracking of duplicate input files is done by the individual forwarders. Since each forwarder does not know what other forwarders have processed, you will get duplicates.</P> Mon, 15 Jul 2019 12:39:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396588#M70682 richgalloway 2019-07-15T12:39:02Z https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396589#M70683 <P>Drat...<BR /> Two ideas:<BR /> 1: Forcing an identical hostname, would that help the indexer to identify incoming dupes?<BR /> 2: Using a heavy forwarder inbetween to filter out dupes.<BR /> I really want to avoid #2, that would mean I either add additional burden to a box or need a new box.<BR /> thx<BR /> afx</P> Mon, 15 Jul 2019 12:49:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396589#M70683 afx 2019-07-15T12:49:01Z https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396590#M70684 <OL> <LI> Indexers do not identify dupes. You can do that at search time, however.</LI> <LI>An intermediate HF could probably do the time, but it would be a bottleneck and would impair performance. Splunk advises against intermediate forwarders unless absolutely necessary.</LI> </OL> <P>What you really should do is avoid having more than one forwarder read a given file.</P> Mon, 15 Jul 2019 15:24:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396590#M70684 richgalloway 2019-07-15T15:24:07Z https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396591#M70685 <P>Yup, avaoiding that would be best. I am currently trying to figure out whether the forwarder can be startet / stopped with the application, so there might be some minimal overlap, but overall only one of them is active.</P> Mon, 15 Jul 2019 15:37:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-are-identical-files-from-multiple-clustered-systems-handled/m-p/396591#M70685 afx 2019-07-15T15:37:17Z