https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666959#M228789 <P>From splunk user we are receiving logs but when it comes to Splunk search head its splitting into different events&nbsp;</P><P>Expected log :</P><P><SPAN>Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70 # Succeeded # Function:[Configuration Management][MML Command</SPAN><SPAN>]</SPAN><SPAN>&nbsp;PQR&nbsp;ME:; # 2023-10-26 09:37:51#</SPAN></P><P><SPAN>splunk dividing into two separate&nbsp;events</SPAN></P><P><SPAN>Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70&nbsp; # Succeeded # Function:[Configuration Management][MML Command</SPAN><SPAN>]</SPAN></P><P>&amp;</P><P><SPAN>LST ME:; # 2023-10-26 09:37:51#</SPAN></P><P>How can i resolve this cannot combine this two because getting seperate event not one after another&nbsp;</P> Wed, 01 Nov 2023 07:04:10 GMT Komal0113 2023-11-01T07:04:10Z https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666959#M228789 <P>From splunk user we are receiving logs but when it comes to Splunk search head its splitting into different events&nbsp;</P><P>Expected log :</P><P><SPAN>Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70 # Succeeded # Function:[Configuration Management][MML Command</SPAN><SPAN>]</SPAN><SPAN>&nbsp;PQR&nbsp;ME:; # 2023-10-26 09:37:51#</SPAN></P><P><SPAN>splunk dividing into two separate&nbsp;events</SPAN></P><P><SPAN>Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70&nbsp; # Succeeded # Function:[Configuration Management][MML Command</SPAN><SPAN>]</SPAN></P><P>&amp;</P><P><SPAN>LST ME:; # 2023-10-26 09:37:51#</SPAN></P><P>How can i resolve this cannot combine this two because getting seperate event not one after another&nbsp;</P> Wed, 01 Nov 2023 07:04:10 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666959#M228789 Komal0113 2023-11-01T07:04:10Z https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666960#M228790 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261277">@Komal0113</a>&nbsp;Some more details needed:</P><UL><LI>Can we have your Splunk Search Query pls (remove any hostname, ip address, etc from the search query)</LI><LI>Are you using HF or not</LI><LI>mostly the props/transforms causes this issue. can we have your props/transforms(only the portion responsible for this APP/add-on/TA is enough)</LI></UL> Wed, 01 Nov 2023 07:26:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666960#M228790 inventsekar 2023-11-01T07:26:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666962#M228791 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a></P> <P>1) In splunk search query we are using index name for search&nbsp;</P> <P>2) Receiving logs via udp port</P> <P>3) props conf</P> <LI-CODE lang="markup">LINE_BREAKER = (\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}) SHOULD_LINEMERGE = false</LI-CODE> <P><BR />&nbsp;</P> Wed, 01 Nov 2023 11:55:03 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666962#M228791 Komal0113 2023-11-01T11:55:03Z https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666966#M228795 <P>1. Search head is the component which spawns searches against indexers which hold the already indexed data. So I assume you meant that you're sending data in some format but it's getting improperly split into events.</P><P>2. Sending raw tcp or udp data stream directly to a Splunk component is not the preferred way to go (for several reasons which I will not dig into at this point).</P><P>3. What do these events look like on the wire? I'm not 100% sure but I think they might get split at datagram boundary regardless of other settings.</P><P>4. Your "split" set of events contains a second event which is _not_a part of the original event. A typo in preparation of the mockup data?</P> Wed, 01 Nov 2023 08:07:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-GUI-seperating-event/m-p/666966#M228795 PickleRick 2023-11-01T08:07:46Z