Our current setup looks like this:
Search Head 1
Search Head 2
Search Head 3
A couple of months ago, I added a db_input for our Management app. The input took raw SQL. Within that SQL it returned a warning level and alarm level hard coded.
Warning = 4000, Alarm = 3500.
However, this week, I took the SQL and stored it as a Stored Procedure on our MSSQL database. I edited the exact same db input, replacing the SQL with "EXEC splunk.dbo.moves". In that stored procedure, I changed Warning to 3000 and Alarm to 2500. I have the input to run every 5 minutes. Now, it returns both the old data and the new data. Meaning I am seeing Warning = 4000 sometimes and 3000 other times. Same goes for Alarm.
I restarted Splunk on all 7 systems that we have. I checked db_inputs conf on both Deployment Server and under shcluster apps folder, and the Deployer. I am not seeing anywhere that has the old code in it. Is there anywhere else to check? Or any other ideas? I just created a brand new db_inputs called something else with just the stored procedure so we can get our data. However, the old stuff is still getting indexed, and they're a waste of space.
Thanks, hope this makes sense.