basic set up:
- splunk 4.2 on ubuntu 10.04
- rsyslog collects logs from other machines, and splunk reads and tabulates event data from /var/log/*
I noticed that a cron.hourly process which normally generates 2 events/hour in the search app, jumped up to 4 events/hour(which were duplicates), for a 24 hour period, and then returned to 2 events/hour.
grepping /var/log/syslog for that particular event does not show duplicates, and when I ask the search app to show the source, the source does not show duplicates either.
Has anyone experienced double counting before? If yes, how did you resolve?
... View more