i see duplicate data getting indexed.its impacting license. can you please suggest how i can fix this.below is the monitoring .
[monitor:///incoming/XXXXX/XXXX/XXXXX.gz]
disabled = false
index = XXXXX
sourcetype = XXXX
EVENT_BREAK_ENABLE=true
Please add your outputs.conf to this post.
cheers, MuS
Hi, How many indexers you have and how you are confirming that the duplicate data is ingesting. If those duplicate logs are from same application servers and exactly same in format, Splunk is smart enough to drop the duplicate logs.