Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple events from same indexed data

rantravee
Path Finder
‎10-02-2013 01:36 PM

I've written a script that polls a WebApi and after receiving the response streams the data into Splunk to be indexed . The response that is intended to be indexed is a large Json Object with more than 100 keys . I would aspect to see only one event after the script is runned containg the indexed json Object. Instead I see several events with the same timestamp ,each containing s subset of keys from the received Json Object. Is this correct ? Can there be something done so that the entire Json object belongs to the same event ?

I index the data into splunk through the following lines of code :

print jsonObject
sys.sdout.flush()

Thanks

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...