I have a single site cluster that contains 5 indexers, 4 search heads, a master node, and a deployer. There are also some universal forwarders with load balancing.
All events in the indexer cluster are from Universal forwarders. The data flow direction is as follows.(The most common cluster architecture)
Server/Host (UF installed here)—————TCP—————>indexer cluster
Server/Host(syslog)—————Universal Forwarder—————TCP—————indexer cluster
Server/Host(UF monitors a file)——————TCP————>Indexer cluster
So the question is coming
1. Why does it return duplicate events when I search? Is it because I'm using TCP? https://answers.splunk.com/answers/537368/why-is-there-event-duplication-via-tcp-port.html?
2. I disabled the use_ACK function in the outputs.conf on the UF
3. What are the common causes of repeated events? Please tell me, I can exclude it one by one. Thank you
Forgive me for my English
↧
