- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
I have noticed an issue in my Splunk environment:
Issue:
Data is getting duplicated twice in indexers. If i do a search in search head, the same events are coming in twice. this issue started 2 days ago, earlier there is no issue with the data.
My Investigations:
1)checked the application logs wether same log is existing twice? Answer: No
2)Checked whether this issue is happening to one sourcetype OR only for one index OR one forwarder? Answer: No it is affecting all forwarders and indexers data.
My questions:
- Is the issue is from the Indexer cluster side?
- Is the issue is from the forwarder side?
- Or any other reason why it is happening? and what are the steps need to prevent it?
Thanks in advance.
Regards,
Reddy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem and my version is Splunk Enterprise 6.5.3. Do you have an issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have same issue my data is getting doubled in indexers each time a log is captured
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are the duplicate events coming from the same bucket or different buckets? you can isolate one of the duplicate events, and then check with bucket+splunk_server the event and its duplicates are being returned from
"some_dup_event | eval bkt=_bkt | fields + bkt,splunk_server"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something changed in your configuration. Did someone change outputs.conf. on the forwarders?
If no one changed the source data files, then someone must have changed a Splunk setting in some .conf file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lguinn
We did not touched any config files in forwarders.