Hi
I have Splunk_TA_aws installed on the heave forwarder
the input are
[aws_s3://aws_dome9_logs_amdocsdome9logs]
aws_account = IS account
bucket_name = amdocsdome9logs
character_set = auto
ct_blacklist = ^$
host_name = s3.amazonaws.com
index = aws_dome9_logs
initial_scan_datetime = 2018-01-01T21:54:23-0700
interval = 30
is_secure = True
max_items = 100000
max_retries = 3
recursion_depth = -1
sourcetype = _json_current_time
[aws_s3://aws_dome9_logs_amdocsdome9remediationlogs]
aws_account = IS account
bucket_name = amdocsdome9remediationlogs
character_set = auto
ct_blacklist = ^$
host_name = s3.amazonaws.com
index = aws_dome9_logs
initial_scan_datetime = 2018-01-01T21:54:23-0700
interval = 30
is_secure = True
max_items = 100000
max_retries = 3
recursion_depth = -1
sourcetype = _json_current_time
what can be the reason the same event if indexed twice (day after day )
according to the json file diff the files are identical
You could say its problem/issue with TA if you are observing same behavior for all the inputs you have created using the TA.
I would recommend creating a new input which you don’t think the events of this input are not duplicated with other input in AWS.
Hi
I am checking now with Dome9 team
will update