KB 010 – Splunk duplicate instance name in distributed environment

Duplicate instance name in Splunk

Problem:

source!=audittrail EVENT_TYPE=SM51 | dedup INSTANCE_NAME | sort+INSTANCE_NAME | fields INSTANCE_NAME | table INSTANCE_NAME

Duplicate instance name in Splunk

Condition:

  • Distributed SplunkEnvironment where search head and indexer are running on different systems

Cause:

Sourcetype SAP_ABAP has not been configured in search head properly.

Solution:

  • Locate props.conf in SPLUNK_HOME\etc\system\local

If the file does not exist, please create it

  • Add attribute KV_MODE = none to sourcetype.

[sap_abap]
KV_MODE = none

Add attribute KV_MODE = none to sourcetype.

  • Restart the search head
  • The above query should return one result

Reference

http://docs.splunk.com/Documentation/Splunk/6.2.2/admin/Propsconf

Splunk duplicate instance name in distributed environment

Download PDF version here