In my current batch stanza in inputs.conf, why is ...

xiyangyang · ‎04-27-2017

My inputs.conf is as follow:

[batch://C:\Splunk\2.txt]
index = netiq
move_policy = sinkhole
sourcetype = shinsei_db_audit_utf8

[monitor://C:\Splunk\log_SME*.log]
disabled = false
followTail = 0
ignoreOlderThan = 100d
index = netiq
sourcetype = shinsei_common_shift_jis

With this inputs.conf, the batch stanza object 2.txt is indexed twice every time.
If I remove the whole monitor part, the 2.txt is indexed once.

What is the reason of it being indexed twice?

tlam_splunk · ‎04-28-2017

You're using batch stanza, is the file 2.txt deleted after indexing ?

As you mentioned, it's indexed twice, what's the source type of them ? Is it one from shinsei_common_shift_jis and other form shinsei_db_audit_utf8 ?

Thanks

xiyangyang · ‎05-07-2017

Yes, the 2.txt was removed after it was indexed.
2.txt is indexed twice, and both of the sourcetype are shinsei_db_audit_utf8.

If I move "" from Line 6, [monitor://C:\Splunk\log_SME.log]. This phenomenon will not happen.

xiyangyang · ‎05-07-2017

Yes, the 2.txt was removed after it was indexed.
2.txt is indexed twice, and both of the sourcetype are shinsei_db_audit_utf8.

If I move "" from Line 6, [monitor://C:\Splunk\log_SME.log]. This phenomenon will not happen.

In my current batch stanza in inputs.conf, why is the file indexed twice?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!