Getting Data In

How to resolve when data getting duplicated twice in indexers?

mpreddy
Communicator

Hi Splunkers,

I have noticed an issue in my Splunk environment:

Issue:

Data is getting duplicated twice in indexers. If i do a search in search head, the same events are coming in twice. this issue started 2 days ago, earlier there is no issue with the data.

My Investigations:

1)checked the application logs wether same log is existing twice? Answer: No
2)Checked whether this issue is happening to one sourcetype OR only for one index OR one forwarder? Answer: No it is affecting all forwarders and indexers data.

My questions:

  • Is the issue is from the Indexer cluster side?
  • Is the issue is from the forwarder side?
  • Or any other reason why it is happening? and what are the steps need to prevent it?

Thanks in advance.

Regards,
Reddy.

1 Solution

vasanthmss
Motivator

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V

View solution in original post

vasanthmss
Motivator

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V

erwan_raulet
Explorer

I have the same problem and my version is Splunk Enterprise 6.5.3. Do you have an issue?

0 Karma

sreekarnapu1109
New Member

I have same issue my data is getting doubled in indexers each time a log is captured

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee

are the duplicate events coming from the same bucket or different buckets? you can isolate one of the duplicate events, and then check with bucket+splunk_server the event and its duplicates are being returned from

"some_dup_event | eval bkt=_bkt | fields + bkt,splunk_server"

0 Karma

lguinn2
Legend

Something changed in your configuration. Did someone change outputs.conf. on the forwarders?
If no one changed the source data files, then someone must have changed a Splunk setting in some .conf file

0 Karma

mpreddy
Communicator

@lguinn

We did not touched any config files in forwarders.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...