Hi fdi01,

Thanks for your reply.

Looks like default option is endpoint_md5, we need to explicitly mention this in props??

and my abc.out file is rotated based on size, if it reaches some size it will rotate and new file will get created.

Here is my error message:

WARN TcpOutputProc - Possible duplication of events with channel=source::/123/.out|host::xyz|out-2|571, streamId=0, offset=0 on host=indexer:9997

what is out-2 in the above warning, if it is sourcetype, sourcetype given as per above configuration file is abc, then why is it showing out-2??

I am using indexer acknowledgement using useAck=true.

by default, CHECK_METHOD= modtime.
The workaround is to set priority higher than the default stanza using source stanza in props.conf (If you use host or sourcetype in the props.conf will not work), specify CHECK_METHOD so it will not use modtime.

For example:
[source::.../abc.out]
sourcetype=log_in_abc.out
CHECK_METHOD = endpoint_md5
priority = 10

This I could find:

CHECK_METHOD = [endpoint_md5|entire_md5|modtime]
* Set CHECK_METHOD endpoint_md5 to have Splunk checksum of the first and last 256 bytes of a
file. When it finds matches, Splunk lists the file as already indexed and indexes only new
data, or ignores it if there is no new data.
* Set CHECK_METHOD = entire_md5 to use the checksum of the entire file.
* Set CHECK_METHOD = modtime to check only the modification time of the file.
* Settings other than endpoint_md5 cause Splunk to index the entire file for each detected
change.
* Defaults to endpoint_md5.
* Important: this option is only valid for [source::] stanzas.

And also I could see below warning message on my forwarders:

WARN TcpOutputProc - Read operation timed out expecting ACK from indexer in 300 seconds.

in your /opt/splunk/etc/system/default/props.conf the Defaults CHECK_METHOD = modtime by in manuel it is CHECK_METHOD = endpoint_md5.
note: erase all data already indexed and resumes a new index on the same indexed or a new index. with the new configuration props.conf