Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

schultet
Path Finder
‎02-25-2015 01:10 PM

I get two entries in splunk for the same record (RecordNumber=10993503). One with host name as FQDN and source type as follows:

host = DC1.domain.name
source = WMI:WinEventLog:System 
sourcetype = WMI:WinEventLog:System

The other has the following without the FQDN and WMI: 

host = DC1 
source = WinEventLog:System 
sourcetype = WinEventLog:System

Does anyone know how this is happening?

Thanks
Tom

2/23/15 
2:44:57.000 PM    

20150223144457.000000
Category=0
CategoryString=NULL
EventCode=5805
EventIdentifier=5805
EventType=1
Logfile=System
RecordNumber=10993503
SourceName=NETLOGON
TimeGenerated=20150223194457.000000-000
TimeWritten=20150223194457.000000-000
Type=Error
User=NULL
ComputerName=DC1.domain.name
wmi_type=WinEventLog:System
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred: 
Access is denied.


Collapse
host = DC1.domain.name
source = WMI:WinEventLog:System 
sourcetype = WMI:WinEventLog:System 

›  2/23/15 
2:44:57.000 PM    

02/23/2015 02:44:57 PM
LogName=System
SourceName=NETLOGON
EventCode=5805
EventType=2
Type=Error
ComputerName=DC1.domain.name
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=10993503
Keywords=Classic
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred: 
Access is denied.
Collapse
host = DC1 
source = WinEventLog:System 
sourcetype = WinEventLog:System
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fcuisit
Engager
‎03-02-2015 08:33 AM

found that Snare was also installed and posting to Splunk. That is why one was a sourcetype=WMI:WinEventLog:System and the other was not (just WinEventLog:System)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fcuisit
Engager
‎03-02-2015 08:33 AM

found that Snare was also installed and posting to Splunk. That is why one was a sourcetype=WMI:WinEventLog:System and the other was not (just WinEventLog:System)

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎03-03-2015 04:22 PM

Hi @fcuisit

Are you also the user who posted this question, just using a different account?

0 Karma
Reply
Solved! Jump to solution

fcuisit
Engager
‎03-05-2015 06:16 AM

Oh yeah didn't realize it.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-25-2015 01:24 PM

Are you sure you only have one inputs.conf entry that pulls System event logs?
If you go to event viewer on the source host, do you just see a single event being logged?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...