0 votes
in DevOps Culture by
How does Splunk avoid the duplicate indexing of logs?

1 Answer

0 votes
by

At the indexer, Splunk keeps track of the indexed events in a directory called fishbucket with the default location:

/opt/splunk/var/lib/splunk

It contains seek pointers and CRCs for the files we are indexing, so splunkd can tell us if it has read them already.

Related questions

+2 votes
asked Nov 24, 2022 in DevOps Culture by Robin
+2 votes
asked Nov 24, 2022 in DevOps Culture by Robin
...