Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Seeing duplicate events in Search Results ?

arunsony
New Member
‎05-27-2017 08:02 PM

I have a source as ///application.log in my inputs.conf.On the servers the application.log will be rolled when it fill up with 10Mb by creating the file name as application.12-13-2014.log and new file with application.log will be creating after rolling . At some point because of this roll over we are missing some events in splunk. So in order to not to miss the events we changed the source as application* (used wild card) in inputs.conf and now we see all the logs getting indexed and showing events in search. But the problem is that we are getting duplicate logs with the same time stamp. The duplicate logs appears with the source as one with application.log and the other with application.12-12-2014.log. So can anyone help me on this issue. Thanks in advance !

Tags (1)
0 Karma
Reply

arunsony
New Member
‎05-28-2017 08:47 AM

Is there any way of writing props or transforms for the source to drop the duplicate events. I am not sure about the whitelist you are saying ? Can you give an example ?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-28-2017 02:27 PM

No but you can schedule a search to run hourly like this which removes duplicates from search results:

index=YourIndexHere sourcetype=YourSourcetypeHere earliest=-5h latest=now
| streamstats count AS deleteme BY _raw
| search deleteme>1
| delete
0 Karma
Reply

arunsony
New Member
‎05-28-2017 02:49 PM

My index name is Application and Sourcetype is prod_application . Can you just write the search for 1 hour ? One more thing the duplicates will be deleted at the search level or indexer level ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...