Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forwarder keeps input duplicate event

slasyang
Explorer
‎08-19-2021 01:37 AM

Hi,

 

I have a log server with universal forwarder and some Linux server,

and I set a cronjob to make those Linux server upload their /var/log/secure and /var/log/messages to log server every 10 mins, and universal forwarder will monitor them.

 

But every time, when linux server upload their log files to log  server,

universal forwarder will index not only difference part but entire files,

and it caused a lot of waste of license.

here is my inputs.conf

--

[monitor://D:\Log\Linux\*\messages]
sourcetype = message
index = os
host_segment = 3

--

How can I fix it?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jwalthour
Communicator
‎08-19-2021 04:29 AM

Except that you’re not just adding events to an existing file; you’re recreating the file each time you overwrite it. I’d need to know more details, but something about what you’re doing triggers Splunk to see it as a new file. I’d advise consulting this troubleshooting guide below to figure out why Splunk is seeing it as a new file and, possibly, how to prevent it.

https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

I’d also recommend you get a proper syslog server set up to accomplish this task in the best way possible.

If this solved your problem, please mark it as the solution.

View solution in original post

Reply
Solved! Jump to solution

jwalthour
Communicator
‎08-19-2021 01:58 AM

How are you sending the Linux logs to your Windows log server? What exactly is the content of your cron job on your Linux servers?

0 Karma
Reply
Solved! Jump to solution

slasyang
Explorer
‎08-19-2021 02:09 AM

First, It copy secure log and messages log to a temp folder,

then use FTP command to PUT the file to windows log server.

0 Karma
Reply
Solved! Jump to solution

jwalthour
Communicator
‎08-19-2021 02:37 AM

And each time you FTP the entire log file to the Windows log server or just the additions?

0 Karma
Reply
Solved! Jump to solution

slasyang
Explorer
‎08-19-2021 02:47 AM

I FTP the entire log file to overwrite the last one.

In my cognition,

forwarder will continue to index event from the end of the last file,

not from the first line.

0 Karma
Reply
Solved! Jump to solution
Solution

jwalthour
Communicator
‎08-19-2021 04:29 AM

Except that you’re not just adding events to an existing file; you’re recreating the file each time you overwrite it. I’d need to know more details, but something about what you’re doing triggers Splunk to see it as a new file. I’d advise consulting this troubleshooting guide below to figure out why Splunk is seeing it as a new file and, possibly, how to prevent it.

https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

I’d also recommend you get a proper syslog server set up to accomplish this task in the best way possible.

If this solved your problem, please mark it as the solution.

Reply
Solved! Jump to solution

slasyang
Explorer
‎08-19-2021 09:45 PM

Thanks for your recommendation,

I think I understand  the cause of this problem.

I'll try another way to index those log file.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...