Getting Data In

How to avoid duplicated event

hochit
Path Finder

We have csv type of data file which is overwritten and with new data appended to the end every night. I found Splunk load/duplicate all the data again everyday!

As I know crcSalt only check CRC with first few lines of the file. How Splunk works in this case to identify only end of the file has new data?

followTail works for file replace?

Tags (3)
0 Karma

barne_dn
Explorer

How are you loading the file:

Are you using a Splunk monitor?
http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Monitorfilesanddirectories

That might be your problem.

0 Karma

dlovett
Path Finder

I am having the exact same issue! did you figure out a solution?

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...