Getting Data In

Duplicate event with rotate log

dungnq
Loves-to-Learn

Hi team,

I encountered a problem when retrieving data from rotate log files: duplicate event.
For example: the event in file test.log.1 has been retrieved, when rotating to test.log.2 splunk retrieves it again.
How to configure splunk to only retrieve the latest events and not events that have been rotated to another file?
=====
Log4j App information:
log4j.appender.file.File=test.log
log4j.appender.file.MaxFileSize=10000KB
log4j.appender.file.MaxBackupIndex=99
=====
Splunk inputs.conf information
[monitor:///opt/IBM/WebSphere/AppServer/profiles/APP/test.log*]

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dungnq,

are you using crcSalt = <SOURCE> in your inputs.conf?

Ciao.

Giuseppe

0 Karma

dungnq
Loves-to-Learn

Hi @gcusello,
Thank you for your response. Currently I have configured the crcSalt parameter on the inputs.conf file
----

[monitor:///opt/IBM/WebSphere/AppServer/profiles/APP/test.log*]
index = app
sourcetype = tws:aws:testdev:app
disabled = false
crcSalt = <SOURCE>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dungnq,

is it mandatory for your ingestion?

this is the reason for the double ingestion: logs arrive from different files.

Without crcSalt = <SOURCE>, Splunk doesn't index twice a log.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...