We installed the Splunk Universal Forwarder
msiexec.exe /i splunkforwarder.msi DEPLOYMENT_SERVER="xxx.xx.xx.xx:8089" AGREETOLICENSE=Yes MONITOR_PATH="D:\MS_Logs\Events\" /quiet
with the above command on our PVS GoldServer; (this is the master Image of all the vDisk)
At the end off the vdisk preparation task we run the following
# Stop Splunk forwarder, and clear the system settings
Stop-Service -name SplunkForwarder
cd 'C:\Program Files\SplunkUniversalForwarder\bin'
./splunk clone-prep-clear-config
The problem is, that as soon we reboot a system, we found duplicate log-files on Splunk.
For example, when I search for the following:
sourcetype="WinEventLog:Application" host=MyHost Date="%RebootDate%" RecordNumber="*"
We found two records for each record number
Can anyone help me how we can we solve this behavior?
Thanks!
↧