Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I seeing duplicate events?

davidpaper
Contributor
‎06-07-2017 08:27 PM

I'm seeing the following two log messages on my UF. I'm also seeing big spikes in events every few minutes from this log file. What's going on?

06-06-2017 13:55:47.047 -0400 WARN TcpOutputProc - Possible duplication of events with channel=source::/logs/mylogs/log4j/my-java-logs.log|host::myhost|log4j_6|16384, streamId=12699096867673601155, offset=48369192 onhost=10.217.104.156:9997

06-06-2017 13:58:45.293 -0400 INFO WatchedFile - Logfile truncated while open, original pathname file='/logs/mylogs/log4j/my-java-logs.log', will begin reading from start.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

davidpaper
Contributor
‎06-07-2017 08:38 PM

The cause of both messages is the /logs/mylogs/log4j/my-java-logs.log is being written to, and instead of rolled, its being truncated (equivalent of cat /dev/null > my-java-logs.log) and re-written as it grows and reaches 50MB.

To find this, we used a tool called watch.

/usr/bin/watch -n 1 ls -l /logs/mylogs/log4j/my-java-logs.log

And we noticed that the file would grow up to just under 50MB and then it would reset back to 0 bytes and write data into the same file.

The solution was to go back to the developer and convince them to change the logic to roll the log file to my-java-logs.log.1 and open a new my-java-logs.log for writing, instead of truncating.

We also noticed that this large file was triggering the Batch reader. We updated the limits.conf: [default] min_batch_size_bytes up from 20 to 100 MB.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

davidpaper
Contributor
‎06-07-2017 08:38 PM

The cause of both messages is the /logs/mylogs/log4j/my-java-logs.log is being written to, and instead of rolled, its being truncated (equivalent of cat /dev/null > my-java-logs.log) and re-written as it grows and reaches 50MB.

To find this, we used a tool called watch.

/usr/bin/watch -n 1 ls -l /logs/mylogs/log4j/my-java-logs.log

And we noticed that the file would grow up to just under 50MB and then it would reset back to 0 bytes and write data into the same file.

The solution was to go back to the developer and convince them to change the logic to roll the log file to my-java-logs.log.1 and open a new my-java-logs.log for writing, instead of truncating.

We also noticed that this large file was triggering the Batch reader. We updated the limits.conf: [default] min_batch_size_bytes up from 20 to 100 MB.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - November 2025

Feature Highlight  Analyze your dimensions and metrics with Usage Analytics  To help optimize telemetry data ...

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...