I'm receiving duplicate events from IIS logs being sent through the universal forwarder.
The forwardeds 'splunkd.log' is showing:
10-24-2013 14:45:02.882 +1100 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='C:\path\to\iis\logs\u_ex131024.log'.
10-24-2013 14:45:02.882 +1100 INFO WatchedFile - Will begin reading at offset=0 for file='C:\path\to\iis\logs\u_ex131024.log'.
10-24-2013 14:45:02.882 +1100 INFO WatchedFile - Resetting fd to re-extract header.
Splunk versions are:
Splunk 6.0.182037
Splunk universal forwarder 6.0.182611
inputs.conf
[monitor://C:\path\to\iis\logs\*.log]
disabled = false
sourcetype = iis
props.conf (as per universal forwarder defaults)
[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
Any ideas where I am going wrong?
... View more