We have a special environment that traffic goes through switch TAP which will mirror same traffic to 2 different paths. We're planning to use stream forwarder to catch packets on both side. However, it will turn out duplicated event. Though I know we probably we use **dedup** to eliminate duplicated events. I'd like to learn if any better solution to save index volume at the beginning.
I just brainstorm if it's feasible eliminating mirrored packets natively by Splunk's fish bucket mechanism itself. For example, we use a heavy forwarder to collect duplicated packets first and then forward a single copy to backend indexers.
Open to any advice, thanks! :)
↧