Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Seeing duplicate events in Search Results ?

arunsony
New Member
‎05-27-2017 08:02 PM

I have a source as ///application.log in my inputs.conf.On the servers the application.log will be rolled when it fill up with 10Mb by creating the file name as application.12-13-2014.log and new file with application.log will be creating after rolling . At some point because of this roll over we are missing some events in splunk. So in order to not to miss the events we changed the source as application* (used wild card) in inputs.conf and now we see all the logs getting indexed and showing events in search. But the problem is that we are getting duplicate logs with the same time stamp. The duplicate logs appears with the source as one with application.log and the other with application.12-12-2014.log. So can anyone help me on this issue. Thanks in advance !

Tags (1)
0 Karma
Reply

arunsony
New Member
‎05-28-2017 08:47 AM

Is there any way of writing props or transforms for the source to drop the duplicate events. I am not sure about the whitelist you are saying ? Can you give an example ?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-28-2017 02:27 PM

No but you can schedule a search to run hourly like this which removes duplicates from search results:

index=YourIndexHere sourcetype=YourSourcetypeHere earliest=-5h latest=now
| streamstats count AS deleteme BY _raw
| search deleteme>1
| delete
0 Karma
Reply

arunsony
New Member
‎05-28-2017 02:49 PM

My index name is Application and Sourcetype is prod_application . Can you just write the search for 1 hour ? One more thing the duplicates will be deleted at the search level or indexer level ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...