Deployment Architecture

json sourcetype failed to act correctly

fatemebayat
Engager

hi everyone
i have a problem with events with sourcetype=json.
when i send several logs to splunk in json format less than aorund 30s, logs aggregated in one event.
WHY?
but when i use sourcetype=json_no_timestamp, every events correct and seperated.
can i help me , how can i solve my problem?

Tags (1)
0 Karma

fatemebayat
Engager

hi hettervi
thanks for your attention.
yes, in know it :). sourcetype is _json.
finally i solved it.
in setting -> source types -> _json, i added below setting.
-SHOULD_LINEMERGE= false
-AUTO_KV_JSON = false
-KV_MODE = none
and timestamp in auto mode and has a structure like this (Wed May 24 09:30:00.555 UTC 2017).

hettervik
Builder

Hi. Maybe a stupid answer, but you know it should be sourcetype=_json, and not simply json?

0 Karma
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...