Re: In my current batch stanza in inputs.conf, why...

xiyangyang · ‎04-27-2017

My inputs.conf is as follow:

[batch://C:\Splunk\2.txt]
index = netiq
move_policy = sinkhole
sourcetype = shinsei_db_audit_utf8

[monitor://C:\Splunk\log_SME*.log]
disabled = false
followTail = 0
ignoreOlderThan = 100d
index = netiq
sourcetype = shinsei_common_shift_jis

With this inputs.conf, the batch stanza object 2.txt is indexed twice every time.
If I remove the whole monitor part, the 2.txt is indexed once.

What is the reason of it being indexed twice?

tlam_splunk · ‎04-28-2017

You're using batch stanza, is the file 2.txt deleted after indexing ?

As you mentioned, it's indexed twice, what's the source type of them ? Is it one from shinsei_common_shift_jis and other form shinsei_db_audit_utf8 ?

Thanks

xiyangyang · ‎05-07-2017

Yes, the 2.txt was removed after it was indexed.
2.txt is indexed twice, and both of the sourcetype are shinsei_db_audit_utf8.

If I move "" from Line 6, [monitor://C:\Splunk\log_SME.log]. This phenomenon will not happen.

xiyangyang · ‎05-07-2017

Yes, the 2.txt was removed after it was indexed.
2.txt is indexed twice, and both of the sourcetype are shinsei_db_audit_utf8.

If I move "" from Line 6, [monitor://C:\Splunk\log_SME.log]. This phenomenon will not happen.

In my current batch stanza in inputs.conf, why is the file indexed twice?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms