https://community.splunk.com/t5/Getting-Data-In/Splunk-duplicate-logs-isn-t-working/m-p/551944#M91600 <P>I have the following inputs.conf in the UF for Splunk_TA_windows.</P><P>My intension is to send a copy of logs into two different indexers, I am aware of license re-use but I am ok with that. With the below config some logs are going to one index and other logs are going to other index.</P><P>When I compare the logs in index wineventlog and testsys they are not identical, the logs that I see in wineventlog are different and testsys are different. Looks like some are pushed to one index while other are pushed to&nbsp;</P><P>&nbsp;</P><P class="lia-indent-padding-left-60px">###### Windows OS Logs ##############</P><P class="lia-indent-padding-left-60px">[WinEventLog://Application]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Application]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Security]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Security]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://System]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://System]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]<BR />disabled = 0</P> Tue, 18 May 2021 05:18:47 GMT splunky1 2021-05-18T05:18:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-duplicate-logs-isn-t-working/m-p/551944#M91600 <P>I have the following inputs.conf in the UF for Splunk_TA_windows.</P><P>My intension is to send a copy of logs into two different indexers, I am aware of license re-use but I am ok with that. With the below config some logs are going to one index and other logs are going to other index.</P><P>When I compare the logs in index wineventlog and testsys they are not identical, the logs that I see in wineventlog are different and testsys are different. Looks like some are pushed to one index while other are pushed to&nbsp;</P><P>&nbsp;</P><P class="lia-indent-padding-left-60px">###### Windows OS Logs ##############</P><P class="lia-indent-padding-left-60px">[WinEventLog://Application]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Application]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Security]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Security]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />evt_resolve_ad_obj = 1<BR />checkpointInterval = 5<BR />blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://System]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = testsys<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://System]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR />index = wineventlog<BR />renderXml = false</P><P class="lia-indent-padding-left-60px">[WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational]<BR />disabled = 0</P> Tue, 18 May 2021 05:18:47 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-duplicate-logs-isn-t-working/m-p/551944#M91600 splunky1 2021-05-18T05:18:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-duplicate-logs-isn-t-working/m-p/551962#M91606 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234489">@splunky1</a>,</P><P>Splunk doens't index twice the same log so the solution you tried doesn't work.</P><P>If you want to send some logs to two indexes (with double license consuption!) you have to follow the steps described at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input</A>&nbsp;</P><P>ùIn few words, you have to insert in outputs.conf two destinations&nbsp;</P><LI-CODE lang="markup">[tcpout:systemGroup] server=server1:9997 [tcpout:applicationGroup] server=server2:9997</LI-CODE><P>and in inputs.conf say which logs must be sent to only one or both the indexes:</P><LI-CODE lang="markup">[monitor://.../file1.log] _TCP_ROUTING = systemGroup [monitor://.../file2.log] _TCP_ROUTING = applicationGroup</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 18 May 2021 06:41:24 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-duplicate-logs-isn-t-working/m-p/551962#M91606 gcusello 2021-05-18T06:41:24Z