Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype - checkpoint -aad :aure

arunsundarm
Engager
‎02-09-2024 05:33 AM

I Am having Hf and it is configured to send data via sourcetype A

After sometime it stops sending data to A

Then i move the data to diffrent HF in sourcetype : test ( to test if it is working) 

then from new HF I am routing the data to Source type A itself

Will it reingest the data or checkpoint from the data it is left off, will it ignore the data which was sent to sourcetype :test?? need help and clear explanation

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2024 06:21 AM

Each ingested event is a separate entity and is processed independently so if you make the same data available to the input twice (for example by sending the same syslog event to a network-listening input) it's gonna get ingested, processed and indexed twice.

It's up to the input - if applicable - to make sure the same data is not ingested twice. That's why file monitoring inputs have some logic implemented which keeps track which files and "how far" have been read so far, database inputs can have checkpoints storing information at which point in time you stopped reading from DB and so on. But that happens on the input level.

After the even is read by the input, it's getting processed regardless of whether another "copy" of it have ever been indexed or not.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-10-2024 05:35 AM

The two HFs have no way to know what the other has done so the new HF probably will reingest the same data.  I say "probably" because I'm not familiar with the mechanism the add-on uses to fetch data from Azure.  If the checkpoint is stored on the HF then data will be reingested by a different HF; if the checkpoint is stored on Azure then data may not be reingested.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎02-12-2024 04:09 PM

I can confirm that the checkpoint data is stored in the KV Store on the forwarder.  The checkpoint is the last timestamp retrieved from the Azure REST API.  So if you use a new forwarder, the data will be ingested again (duplicate data).

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...