Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve when data getting duplicated twice in indexers?

mpreddy
Communicator
‎11-02-2016 01:23 PM

Hi Splunkers,

I have noticed an issue in my Splunk environment:

Issue:

Data is getting duplicated twice in indexers. If i do a search in search head, the same events are coming in twice. this issue started 2 days ago, earlier there is no issue with the data.

My Investigations:

1)checked the application logs wether same log is existing twice? Answer: No
2)Checked whether this issue is happening to one sourcetype OR only for one index OR one forwarder? Answer: No it is affecting all forwarders and indexers data.

My questions:

  • Is the issue is from the Indexer cluster side?
  • Is the issue is from the forwarder side?
  • Or any other reason why it is happening? and what are the steps need to prevent it?

Thanks in advance.

Regards,
Reddy.

Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-01-2017 04:00 PM

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-01-2017 04:00 PM

Seems like an issue from 6.3.x upgrade to newer version after 6.4.x would fix the issue.

V
Reply
Solved! Jump to solution

erwan_raulet
Explorer
‎06-21-2017 08:37 AM

I have the same problem and my version is Splunk Enterprise 6.5.3. Do you have an issue?

0 Karma
Reply
Solved! Jump to solution

sreekarnapu1109
New Member
‎01-20-2020 05:28 AM

I have same issue my data is getting doubled in indexers each time a log is captured

0 Karma
Reply
Solved! Jump to solution

dxu_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 05:01 PM

are the duplicate events coming from the same bucket or different buckets? you can isolate one of the duplicate events, and then check with bucket+splunk_server the event and its duplicates are being returned from

"some_dup_event | eval bkt=_bkt | fields + bkt,splunk_server"

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-02-2016 04:32 PM

Something changed in your configuration. Did someone change outputs.conf. on the forwarders?
If no one changed the source data files, then someone must have changed a Splunk setting in some .conf file

0 Karma
Reply
Solved! Jump to solution

mpreddy
Communicator
‎11-02-2016 04:35 PM

@lguinn

We did not touched any config files in forwarders.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...