https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98146#M6771 <P>Odd, source=cpu is still showing up as a single event for me. But the question was more "why the change", it kinda made sense to have one event as it's a snapshot in time, but yea always having to "| multikv" is a pain. Just trying to understand the reasoning, to mirror the functionality on my own inputs.</P> Mon, 14 Oct 2013 22:33:39 GMT mikelanghorst 2013-10-14T22:33:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98144#M6769 <P>Previously the scripted inputs (source=cpu, source=netstat, etc) all created a single event per run. Recently however I noticed the openports (was probably that way for awhile) creates an event per line of output.</P> <P>Why the differences? Just trying to understand the reason behind one vs. the other.</P> Mon, 14 Oct 2013 21:32:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98144#M6769 mikelanghorst 2013-10-14T21:32:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98145#M6770 <P>This is not new.<BR /> The props.conf config in older and current versions calls for a single line per event.</P> <P>in unix app 4.6<BR /> <CODE><BR /> [cpu]<BR /> SHOULD_LINEMERGE=false<BR /> LINE_BREAKER=^()$<BR /> TRUNCATE=1000000<BR /> DATETIME_CONFIG = CURRENT<BR /> REPORT-fields_for_cpu_sh = fields_for_cpu_sh<BR /> </CODE></P> <P>in unix app 5.0.0<BR /> `<BR /> [cpu]<BR /> SHOULD_LINEMERGE=false<BR /> LINE_BREAKER=(^$|[\r\n]+[\r\n]+)<BR /> TRUNCATE=1000000<BR /> DATETIME_CONFIG = CURRENT<BR /> KV_MODE = multi<BR /> FIELDALIAS-dest_for_cpu = host as dest<BR /> FIELDALIAS-src_for_cpu = host as src<BR /> FIELDALIAS-cpu_for_cpu = CPU as cpu<BR /> FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime<BR /> FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime<BR /> FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent<BR /> FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent<BR /> FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime</P> <P>`</P> Mon, 28 Sep 2020 14:57:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98145#M6770 yannK 2020-09-28T14:57:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98146#M6771 <P>Odd, source=cpu is still showing up as a single event for me. But the question was more "why the change", it kinda made sense to have one event as it's a snapshot in time, but yea always having to "| multikv" is a pain. Just trying to understand the reasoning, to mirror the functionality on my own inputs.</P> Mon, 14 Oct 2013 22:33:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98146#M6771 mikelanghorst 2013-10-14T22:33:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98147#M6772 <P>Though I've not updated to the TA for my *nix inputs yet, will roll that into my 6.0 upgrade.</P> Mon, 14 Oct 2013 22:36:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Single-Event-vs-multi-events-for-scripted-inputs/m-p/98147#M6772 mikelanghorst 2013-10-14T22:36:01Z