Why am I getting duplicate logs from a particular index?

New Member

I am getting duplicate logs from particular index , please let me know how to rectify this.

0 Karma

  1. Make sure forwarder is not re reading the file. You can check for _indextime which should give you some clue when the events are indexes
  2. Check for splunkd.log on the forwarder, At times you can see the forwarder is re reading the file due to crc mismatch which should help you find the root cause
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!