Splunk Dev

Multiple events from same indexed data

rantravee
Path Finder

I've written a script that polls a WebApi and after receiving the response streams the data into Splunk to be indexed . The response that is intended to be indexed is a large Json Object with more than 100 keys . I would aspect to see only one event after the script is runned containg the indexed json Object. Instead I see several events with the same timestamp ,each containing s subset of keys from the received Json Object. Is this correct ? Can there be something done so that the entire Json object belongs to the same event ?

I index the data into splunk through the following lines of code :

print jsonObject
sys.sdout.flush()

Thanks

Tags (4)
0 Karma
1 Solution

Ayn
Legend

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

View solution in original post

0 Karma

Ayn
Legend

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...