About subasm

subasm · ‎12-19-2023

Apparently the source files transfer to folder is in our control - it is verified that the data is NOT duplicates. It seems to me there are issues while the data is inflight UF -> HF -> Indexers. Not sure how the ACK works in this set up.

subasm · ‎12-18-2023

We are manually copying the files to the <DIR> and from there onwards UF is supposed to pick up. So I don't think there is rolling over of the same files at midnight.

subasm · ‎12-18-2023

We are trying to ingest large (peta bytes) information into Splunk. The Events are in JSON file structure like - 'audit_events_ip-10-23-186-200_1.1512077259453.json' The pipeline is like - JSON files > Folder > UF > HF Cluster > Indexer Cluster ~ UF - inputs.conf [batch:///folder] _TCP_ROUTING = p2s_au_hf crcSalt = <SOURCE> disabled = false move_policy = sinkhole recursive = false whitelist = \.json$ We are seeing the events from specific files (NOT all) are getting duplicated. It indexes from some file 2 times exactly. As it is [batch:///] which suppose to delete the file after reading it & crcSalt=<SOURCE>, we are NOT able to figure out why & what creates the duplicates. Would appreciate any help, reference or pointers. Thanks in advance!!!

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎12-18-2023

Online Status	Offline
Date Last Visited	‎12-19-2023 11:19 AM

How to avoid indexing duplicates?

Re: How to avoid indexing duplicates?

Re: How to avoid indexing duplicates?

How to avoid indexing duplicates?

Join the Conversation

How to avoid indexing duplicates?

Re: How to avoid indexing duplicates?

Re: How to avoid indexing duplicates?

How to avoid indexing duplicates?