Hi all
My Splunk instance is monitoring one file for new data and adds it to its database.
From these events, I build a world map dashboard.
Example of log file entry:
2018-12-20 10:25:12,938 TRACE [233] HttpInterface - [13.14.10.116] [RequestId = ce47b6e2-ffd9-4408-9b34-5e661e9f9278] HTTP request received from 123.456.3.119:96350
Method = Post
Uri = http://name.goes.here/url/url/url/url/parameter,parameter?output=json&Id=01e363e041420b915134c592c23e12c27b1ba6c7
Headers =
X-Forwarded-For: 444.333.222.111
X-Forwarded-Proto: http
X-Real-IP: 444.333.222.111
Connection: close
Content-Length: 101
Content-Type: application/xml
Accept-Encoding: gzip
Cookie: load-balancer-token=351
Host: name.goes.here
User-Agent: blablablabla(moreblablabla)/1.0
Body = <?xml version="1.0" encoding="utf-8"?><Create><Id>37</Id></Create>
This is my search query:
sourcetype="Logs" |
rex "X-Real-IP: (?<Real_IP>(\d|\.)+)" |
iplocation Real_IP |
lookup geo_countries latitude AS lat longitude AS lon OUTPUT featureId AS country |
stats count as input by country |
sort -input |
eval input = country + " - " + input |
geom geo_countries featureIdField=country
Although in my logs I only have one such entry, for some reason it's logging that 1 entry .. 200 times ...
Some times more, some times less.
I can't seem to figure out why that is.
Any ideas where I can start looking?
Update
I checked my SourceType (using the Splunk UI) and I'm breaking my events with a regex which is only set to 'TRACE'.
The reason behind is that every piece of seperate loggin starts with a line that contains the date, time and TRACE. The only consistent there is TRACE.
This worked fine for a looong time but only started to break since a few weeks. First I thought it was the log file but now it seems that it's my configuration somehow.
... View more