our setup 2 SH, 1 deployment server, 1 license server and 2 indexers , our two indexers are also syslog servers and they read the input file directly from syslog folder for indexing i suspect Splunk is ingesting archive files of syslog data that has already been ingested How do i verify this ?
↧