I need to monitor a folder where each file should be treated as a single event.
The files get their entire content over some time (usually hours).
Initially, loosely segregated events used to get created for the same file as the file would get modified over time.
To avoid that, I applied checksum-config-check as "entire_md5". This avoids the loosely segregated events by combining them into one single event for the entire file. That is good, however, I see duplicate events with same content (entire file).
Could you please help me out figuring how to avoid these duplicate events? May be a way splunk automatically delete the duplicate events and retain only one event per file?
Thanks
Ishaan
↧