I've got an issue where a significant portion of my ingested Log4Net_xml sourcetype logs have duplicate events. I'm currently using a file monitor on a Ubuntu 16.04 LTS, Splunk 7.3.0 machine with a local Monitor stanza to ingest the logs which looks like this:
[monitor:///mnt/CALogs/.../*.log]
disabled = 0
host_segment = 4
index = ca
sourcetype = log4net_xml
#initCrcLength = 1024 # Tried this, it started reindexing all the log file.
Our Log4Net configs looks like this:
<appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
<file type="log4net.Util.PatternString" value="\\server1\ca\Logs\Application\%property{log4net:HostName}\Application.log" />
<appendToFile value="true" />
<rollingStyle value="Size" />
<maximumFileSize value="5MB" />
<staticLogFileName value="true" />
<maxSizeRollBackups value="10" />
<layout type="log4net.Layout.XMLLayout" />
</appender>
I have that directory mounted over SMB/CIFS with the following entry in fstab:
//server1/LogsCA /mnt/CALogs cifs username=user,password=Password,domain=somedomain.dev,sec=ntlm 0 0
Can anybody spot what I'm doing wrong?
Here's a picture of the search that I'm using to estimate duplicates: