I am seeing the exact same log on each of my production indexers
I can even see _internal logs from each indexer duplicated on all three indexers. I checked using btool and there is nothing in outputs.conf to send the logs from one indexer to the other so How could I see logs from _internal one one indexer from another indexer. In my environment I have two heavy forwarders that collect all the logs and sent to the back end indexers. I tried using forceTimebasedAutoLB = true but still get duplicate logs from all sources.
Could this be a problem t the search head thinking that all indexers have the same data. I have never seen this before but I never looked for it either. i looked back 6 months and I can see duplicate events in the past as well. Every source type have duplicate entries in each indexer like the logs are streaming from the forwarders to the indexer in parallel rather than load balancing.
↧