Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to avoid forwarding the event which has already forwarded after restart of forwarder

moohkhol
New Member
‎04-02-2014 03:15 AM

Today I have change configuration of forwarder and restarted it, after restart it is forwarding previous events as well which forwarder has already forwarder.

How I can make sure that after restart, forwarder will only send latest data not previous one.

0 Karma
Reply

MuS
Legend
‎04-02-2014 03:53 AM

Hi moohkhol,

the default behavior of an universal forwarder is, to continue where it left ..... unless you did set crcsalt = <SOURCE> for example. This can lead to re-indexing.

You could use the ignoreOlderThan option in inputs.conf to ignore files that are older then your set value.

Also, re-indexing will take place if the universal forwarders fishbucket got cleaned by exectuing splunk clean all or by removing files form $SPLUNK_HOME/var/lib/splunk/fishbucket.

cheers, MuS

0 Karma
Reply

moohkhol
New Member
‎04-02-2014 04:41 AM

I have not set crcsalt in inputs.conf but still i am seeing that, forwarder is sending older data. I have controlled it with ignoreOlderThan =1d but this will still send duplicate data of 1 day. I am using heavy forwarder .. any though on this ??

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...