When I run a simple query "index=syslog update sourcetype=fgt_event devname=xxxxx", it returns duplicate (2) events with the only difference being the splunk_server field. The device is sending syslog data to only one of the indexers. I am using the standard UDP:514 Data Input to receive this data.
Splunk setup
2 server indexing cluster
2 non-clustered search heads.
Question 1 - Is this affecting my licence quota? Syslog data my largest source.
Question 2 - How do I clean this up as it is affecting reporting?
Thank you in advance for any help provided.
↧