Hi Splunkers,
I have noticed an issue in my Splunk environment:
Issue:
Data is getting duplicated twice in indexers. If i do a search in search head, the same events are coming in twice. this issue started 2 days ago, earlier there is no issue with the data.
My Investigations:
1)checked the application logs wether same log is existing twice? Answer: No
2)Checked whether this issue is happening to one sourcetype OR only for one index OR one forwarder? Answer: No it is affecting all forwarders and indexers data.
My questions:
- Is the issue is from the Indexer cluster side?
- Is the issue is from the forwarder side?
- Or any other reason why it is happening? and what are the steps need to prevent it?
Thanks in advance.
Regards,
Reddy.
↧