Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype - checkpoint -aad :aure

arunsundarm
Engager
‎02-09-2024 05:33 AM

I Am having Hf and it is configured to send data via sourcetype A

After sometime it stops sending data to A

Then i move the data to diffrent HF in sourcetype : test ( to test if it is working) 

then from new HF I am routing the data to Source type A itself

Will it reingest the data or checkpoint from the data it is left off, will it ignore the data which was sent to sourcetype :test?? need help and clear explanation

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2024 06:21 AM

Each ingested event is a separate entity and is processed independently so if you make the same data available to the input twice (for example by sending the same syslog event to a network-listening input) it's gonna get ingested, processed and indexed twice.

It's up to the input - if applicable - to make sure the same data is not ingested twice. That's why file monitoring inputs have some logic implemented which keeps track which files and "how far" have been read so far, database inputs can have checkpoints storing information at which point in time you stopped reading from DB and so on. But that happens on the input level.

After the even is read by the input, it's getting processed regardless of whether another "copy" of it have ever been indexed or not.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-10-2024 05:35 AM

The two HFs have no way to know what the other has done so the new HF probably will reingest the same data.  I say "probably" because I'm not familiar with the mechanism the add-on uses to fetch data from Azure.  If the checkpoint is stored on the HF then data will be reingested by a different HF; if the checkpoint is stored on Azure then data may not be reingested.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎02-12-2024 04:09 PM

I can confirm that the checkpoint data is stored in the KV Store on the forwarder.  The checkpoint is the last timestamp retrieved from the Azure REST API.  So if you use a new forwarder, the data will be ingested again (duplicate data).

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...