×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
cbreezier
Engager
Member since: ‎07-19-2020
‎10-05-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 3
Karma Received 2
Member Since ‎07-19-2020
Activity Feed
View All

Prevent duplicates from generic S3 input

by in Getting Data In
‎09-14-2020 12:45 AM
2 Karma
‎09-14-2020 12:45 AM
2 Karma
I've set up a generic S3 input and it's working pretty well. However, I sometimes get duplicate events. I believe the issue is explained here: > The S3 data input is not intended to read frequently modified files. If a file is modified after it has been indexed, the Splunk platform indexes the file again, resulting in duplicated data. Use key, blocklist, and allowlist options to instruct the add-on to index only those files that you know will not be modified later. https://docs.splunk.com/Documentation/AddOns/released/AWS/S3   My setup involves S3 files that may be updated for a period of 5 minutes. After 5 minutes, they'll never be modified again. Let's start by assuming that I can't change that. In the majority of cases, the file contents aren't actually changed - only the last modification date is changed. I'd like the ability to do the following: Only index files that are older than 5 minutes, or Keep a CRC/hash of each file and only reindex if the hash changes, or Keep track of which line we're up to in each file and only index appended lines 3 is ideal, 1 completely fixes the problem for me (at the cost of some indexing delay), 2 greatly reduces the problem (and I think Splunk already does this for local files?) Is any of what I'm asking for possible? Or is there another solution to my problem? Thanks! ... View more
Labels

Re: MQTT Modular Input: Does not start, receives e...

by in All Apps and Add-ons
‎07-20-2020 12:01 AM
‎07-20-2020 12:01 AM
This is very late, but I ran into the same error. I saw a hint at https://community.splunk.com/t5/All-Apps-and-Add-ons/Unable-to-initialize-modular-input-quot-mqtt-quot-defined-inside/td-p/131063 I also found a page about troubleshooting add-ons: https://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons Which allowed me to find the following log from the add-on for more information: 07-20-2020 06:43:40.050 +0000 ERROR ModularInputs - <stderr> Introspecting scheme=mqtt: java: symbol lookup error: java: undefined symbol: JLI_StringDup And then I found this bug: https://bugs.launchpad.net/ubuntu/+source/openjdk-lts/+bug/1882208 So I downgraded to openjdk-8 and all is well for me (I was on openjdk-11). I see that you're running jdk-12, which is likely to be your problem. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-05-2021 02:47 AM
Karma from
View All
Karma given to