All Apps and Add-ons

[Real-Time Output App] same events are sent again and again

kwchang_splunk
Splunk Employee
Splunk Employee

Hi all,
Using real-time output app, I want to send newly updated events to 3rd party system. But when I tested this app, many duplicated events were sent again and again. It works exactly same way with all-time windowed realtime searches and if an events is shown, it will not disappear until the number of result count hit the maximum count(100000).

Can I send only new events without duplications in realtime using this app? How can I config?

Thank you in advance.

0 Karma

Lucas_K
Motivator

This is an old question but i've found the same thing when I have a syslog/kv target (havn't noticed it with cef output).

Each search slowly grows its time window until it exceeds the maxresultrows items limit.

I havn't figured out the root cause.

edit: root cause found. There was a table command in the search. You only need a fields at the end. Don't use a table and duplicates go away.

edit2: Ok it fixed it for that rule but all other rules are duplicating aswell. Around 50 times as many events compare to the base search.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.