topic Re: Splunk treating multiple lines as one event since they have the same timestamp in Splunk Search

Splunk treating multiple lines as one event since they have the same timestamp

sourabhguha — Fri, 22 Mar 2013 04:10:18 GMT

Hi,

I have the following events. You can see that the timestamps are the same to the second. Due to this Splunk seems to be treating them as one event. However, each is a discrete event. How can i have splunk treat them as discrete events?

9B4C74AF-24D5-45EC-B250-E0B3815F8744,twi1gjni2q.database.windows.net,: Database,DB Number Sessions,20,2013-03-22 02:48:17.003
F4FEF78F-FBEF-4201-B0B1-02B0221099C5,twi1gjni2q.database.windows.net,: Database,DB Network Internal Egress (KB),17740.686528,2013-03-22 02:48:17.030
0014E747-4BCB-4542-9B5B-A6D7CE9D0110,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (%),28.9451599121094,2013-03-22 02:48:17.997
D7448FB8-2CBB-4F54-B229-81E6BD3B604C,qa84z9y1vj.database.windows.net,: Database,DB Total Free Space (%),71.0548400878906,2013-03-22 02:48:18.013
D744C4C8-1C49-4075-A47F-19F0D6B04533,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (MB),296.3984375,2013-03-22 02:48:18.023
0A95EAE0-D7B9-428F-826E-0D4D6341CD2D,qa84z9y1vj.database.windows.net,: Database,DB Total Space Quota (MB),1024,2013-03-22 02:48:18.030

Re: Splunk treating multiple lines as one event since they have the same timestamp

vincesesto — Mon, 28 Sep 2020 13:34:47 GMT

Hi sourabhguha,(amended from previous answer)

Have you set up a props.conf file for this data as you can add a config that will break each line up as a different.

I have just been testing with the data that you have and have been able to get it working by adding the TIME_PREFIX option to the props.conf and adding a comma, as listed below:
TIME_PREFIX=,

If this does not work, let me know what you props.conf file looks like and I would be glad to work on it further with you.

Regards Vince

Re: Splunk treating multiple lines as one event since they have the same timestamp

kristian_kolb — Mon, 28 Sep 2020 13:34:52 GMT

You should also be looking to set TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in props.conf

Also, you should benefit from setting SHOULD_LINEMERGE=false

Re: Splunk treating multiple lines as one event since they have the same timestamp

sourabhguha — Fri, 22 Mar 2013 20:59:25 GMT

thanks for the response.

I did that, but it did not resolve the problem for existing events. Do I need to delete the data and re-import it into splunk for the fix to take effect

Re: Splunk treating multiple lines as one event since they have the same timestamp

kristian_kolb — Sat, 23 Mar 2013 08:17:09 GMT

No. Already indexed events cannot be altered in that respect. There are a few types of information that cannot (almost) be changed on already indexed data, e.g. timestamp, index, source, host, sourcetype, and in your case event-breaking

Re: Splunk treating multiple lines as one event since they have the same timestamp

vincesesto — Sat, 23 Mar 2013 08:39:59 GMT

Hi sourabhguha, if you do reindex your data, I would be interested to know if it works or now?
Regards Vince

Re: Splunk treating multiple lines as one event since they have the same timestamp

sourabhguha — Mon, 25 Mar 2013 02:44:34 GMT

hi Vince, i did reindex my data with the option you suggested and it worked. thanks for your help!