Specs:
- 5.0.4 indexer installed on three VMs: indexer1 and indexer2, and search1
- 5.0.4 U. forwarder installed on VM: forward1
- Using Tomcat 7.0.42
- Using Java applications 1.7.0_03
- Using Log4j 1.2.14
Question:
I have noticed that blocks of events from the Tomcat application running on forward1 are getting duplicated in the Indexers.
At first I thought it was simply a misconfiguration of my default groups in my outputs.conf, but I realized that it's only some events, and in certain cases the duplicates are actually on the same splunk_server (in other words the same indexer).
I know for sure that it repeats blocks of events and the underlying log file on the host (forward1) does not contain duplicates. When drilling down to the splunk source it shows duplicate blocks.
Any ideas?