Windows Cluster machine [Node A - Active/ Node B - Stand by] and use SAN for central storage.
All Splunk configuration set as default except input.conf which modified to monitoring specific log path.
We have installed Splunk Forwarder 4.2 on both node and monitor file.zip on SAN and NAS path. Application created "Splunk_DB" on SAN for tracking log forwarded. All log files monitored are working as expected except file.zip have a problem about duplicate log file forwarded when Cluster switch node. All log which forwarded on Node A will re-indexing when active node switch to Node B.
Impact: Forwarder re-indexing duplicated content on Splunk Indexer and license limit exceed.
Need urgently long term solution from Splunk support team. Thank you in advance.
Related question : http://splunk-base.splunk.com/answers/43531/failover-cluster-splunk-re-index-when-cluster-has-switched-node?page=1&focusedAnswerId=44416#44416
... View more