My environment :
Splunk Indexer : 7.2.3 on Linux7
Splunk Deployment Server : 7.2.3 on Linux7
Universal Forwarder : 7.2.3 on Linux7
I configured that Deployment Server deploys below inputs.conf to UF.
[script//./bin/sample.sh]
interval = 14 12 * * *
index = sample_index
source = sample.sh
sourcetype = sample
disabled = 0
Everyday, UF kicks this script which runs "cat" to file(* about 7MB), and forwards result to Indexer.
However, sometimes UF ignores the setting of "interval" and tried to do this script input many times (* dozens times etc.), and it caused duplicate on Indexer.
Why does it happen?
If anyone knows a similar event, please tell me.
↧