Archive

What happens if I forward the exact same data to an index twice?

JSkier
Communicator

I have a complex distributed environment, I'll try to stick to the root of my concerns. Basically I have site 1 and site 2. Site 2 just forwards directly to site 1 now via a forwarder. However I would like to have site 2 forward to a site 2 indexer.

The problem I see, I will be forwarding site 2 index to site 1 index (I won't go into details, it is what needs to be done). What happens if site 2 index sends the exact same data as site 1 index is already getting? I imagine there will be a slight overlap with some of the logs during this transition, however I worry about the implications of this duplicity.

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Then you have the same event twice.
probably the same _raw, the same sourcetype, index, source, or host
and probably a different _indextime, depending of who parsed it.

PS : it will also be counted twice on the license.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Then you have the same event twice.
probably the same _raw, the same sourcetype, index, source, or host
and probably a different _indextime, depending of who parsed it.

PS : it will also be counted twice on the license.

View solution in original post

JSkier
Communicator

Seems to work fine, I was nervous about borking an index. Thanks!

0 Karma