Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Duplicate events in every index

snsaxena
Loves-to-Learn Lots
‎05-19-2021 01:12 AM

I can see that we are having duplicate events in every index, query used to identify the duplicate events:

index=* |eval myID=_cd |search [search index=* |streamstats count by _raw |search count>1|eval myID=_cd |fields myID ] |stats c(myID) as dpc by index

Query used to get bucket details of these events:

index=* | eval cd=_cd | eval bkt= _bkt | table cd bkt index splunk_server _time source host sourcetype _raw

 

Note: SF and RF are not met and are set to 3:3. We have multisite clustered environment.

Could this issue be due to SF RF not met or somehow SH is showing up data from replicated buckets as well? Is there a fix to this?

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...