Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Events Doubled Overnight

keldridg2
New Member
‎08-12-2019 01:14 PM

I am having an issue as of July 25 and July 26 the events had doubled from logon and logoff commands that I used for no reason on July 25 it said it had 4875 events and for logoff it had 4,625 events. On July 26 it now said to have 7,129 events for logon and for logoff it had 7,037 events, I checked through the times on both days for July 25 and July 26. At around 2:00 PM it had 192 events then climbed up to 265 events and never came back down to 190 events again for those two days. It now has between 280 events and 300 events for logon and logoff. If somebody can tell me what this issue is and why did the events doubled.

0 Karma
Reply

niketn
Legend
‎08-12-2019 07:10 PM

@keldridg2 this seems to be more of a business use case related question/investigation rather than Splunk related.

1) Either your traffic was actually high on July 26th, for which you would need to see investigate further as to which activities they performed during logins or whether there was system issue because of which they logged off or had to log off.

2) You have duplicate data sent to Splunk due to some configuration change after 25th. Highly doubt this as the increase in the trend would be consistent in that case for all the days rather than just 26th. But you can perform dedup/stats on your data with key field for each session like the session ID to get the count of duplicate.

I would suggest you to perform deep dive in your data and correlate with all the events in your system to investigate further, may be setup anomaly detection and prediction with your data to catch such cases up-front.

I am not sure how much the community would be able to assist you with this.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

keldridg2
New Member
‎08-13-2019 07:00 AM

Thanks for the help and did do research on this but is difficult to determine the main cause of the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...