Getting Data In

Duplicated Events: Local Log4net_xml Monitor

JacobCarrell
Explorer

I've got an issue where a significant portion of my ingested Log4Net_xml sourcetype logs have duplicate events. I'm currently using a file monitor on a Ubuntu 16.04 LTS, Splunk 7.3.0 machine with a local Monitor stanza to ingest the logs which looks like this:

[monitor:///mnt/CALogs/.../*.log]
disabled = 0
host_segment = 4
index = ca
sourcetype = log4net_xml
#initCrcLength = 1024 # Tried this, it started reindexing all the log file.

Our Log4Net configs looks like this:

<appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
               <file type="log4net.Util.PatternString" value="\\server1\ca\Logs\Application\%property{log4net:HostName}\Application.log" />
               <appendToFile value="true" />
               <rollingStyle value="Size" />
               <maximumFileSize value="5MB" />
               <staticLogFileName value="true" />
               <maxSizeRollBackups value="10" />
               <layout type="log4net.Layout.XMLLayout" />
          </appender>

I have that directory mounted over SMB/CIFS with the following entry in fstab:

//server1/LogsCA /mnt/CALogs cifs username=user,password=Password,domain=somedomain.dev,sec=ntlm 0 0

 

Can anybody spot what I'm doing wrong?

 

Here's a picture of the search that I'm using to estimate duplicates:

JacobCarrell_0-1595945517609.png

 

Labels (3)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...