Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Redundancy in Data Using UF

tahaahmed354
Loves-to-Learn
‎01-01-2024 10:19 PM

I am using a single universal forwarder on my windows machine to send a log file to my Splunk host machine deployed on Ubuntu. 

The problem is that there were 3 logs events initially in the file, and splunk read those events and displayed on the dashboard. But when I appended the same file and added 10 more events manually, the dashboard is giving out 16 log events when there are only 13 events in the log file. its is reading the first three logs twice. How to resolve this issue?  

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-01-2024 11:01 PM

Hi @tahaahmed354 

Looks like you may have mistakenly configured the read from beginning everytime. 

To Troubleshoot this issue, could you please copy paste the inputs.conf from your windows UF (only the required portion is enough, remove any sensitive values), thanks. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

tahaahmed354
Loves-to-Learn
‎01-01-2024 11:29 PM

Sure, here is the configuration of my inputs.conf file

[tcpout:// <ip-address>:<port>]

[monitor://C:\Users\admin\Desktop\practicelogs.txt]

disabled = 0
index = practicelogs
sourcetype = practicelogs


i didnt understand what yo meant by read from beginning. can you please elaborate on that, Thanks.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-02-2024 12:18 AM

Please add this to your inputs.conf and restart Splunk Service on UF.

crcSalt = <SOURCE>

 and update the test log, then check if the Splunk indexer still have redundant logs. 

 

regarding the "read from beginning", i was bit confused with the other topic today morning.. monitoring the archive files. more details here:

https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Monitorfilesanddirectories

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...