×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
chodgens
Engager
Member since: ‎12-09-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎12-09-2019
View All

Re: Events being indexed multiple times to differe...

by SplunkTrust in Getting Data In
‎12-10-2019 11:35 AM
1 Karma
‎12-10-2019 11:35 AM
1 Karma
Are those indexed times the times of that particular event being indexed? Why the different times? (Or are they actually just "reindexed examples" and not examples of that particular event being reindexed?) Also can you confirm that the file absolutely doesn't change in the first few hundred characters? Because my first real guess is that something rewrites a header line in that file, and thus Splunk thinks it's a new file. Is it just a typo that inputs.conf says index=indexers, but the table of values has index=indexer? Lastly, these appear to be heavy forwarders - why not UF? (And if I'm wrong there, no worries). Your theory is probably right, but why? That's the question. I've seen this happen on high-load boxes, too, when there's too many files to monitor properly in one stanza. have you thought to break up the one big stanza into a lot of little ones? How many files are being tailed at any one time? -Rich ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All