Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I configure Splunk to prevent 3 separat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I configure Splunk to prevent 3 separate events from being merged as a single event?
athorat
Communicator
12-07-2015
03:53 PM
When I search on one of the indexes, I get the data in a single event.
It should be three separate events. How can we deal with it?
Event returned in Splunk:
maintainCSAAContract,maintainCSAAContract,SOAUSER,,,479244912373535201,0,,9,2015-12-02 23:22:15.35,2015-12-02 23:22:15.709,359,,,,2,89501422,87549234,,,,67,121154630,5849501,,,,,, validateCSAAContractPartyRole,validateCSAAContractPartyRole,SOAUSER,Realtime,,973244912373550901,300,31696,0,2015-12-02 23:22:15.507,2015-12-02 23:22:15.766,259,,,,,,,,,,13,215066973,85403412,,,,,, maintainCSAAContractRoleIdentifier,maintainCSAAContractRoleIdentifier,TestUser,PROFILE_INSERT_UPDATE,,339944912373599301,300,1698,0,2015-12-02 23:22:15.992,2015-12-02 23:22:16.293,301,2,14557745,12844709,,,,,,,38,122412057,20411825,,,,,,
This should be 3 separate events
Event 1:
maintainCSAAContract,maintainCSAAContract,SOAUSER,,,479244912373535201,0,,9,2015-12-02 23:22:15.35,2015-12-02 23:22:15.709,359,,,,2,89501422,87549234,,,,67,121154630,5849501,,,,,,
Event 2:
validateCSAAContractPartyRole,validateCSAAContractPartyRole,SOAUSER,Realtime,,973244912373550901,300,31696,0,2015-12-02 23:22:15.507,2015-12-02 23:22:15.766,259,,,,,,,,,,13,215066973,85403412,,,,,,
Event 3:
maintainCSAAContractRoleIdentifier,maintainCSAAContractRoleIdentifier,TestUser,PROFILE_INSERT_UPDATE,,339944912373599301,300,1698,0,2015-12-02 23:22:15.992,2015-12-02 23:22:16.293,301,2,14557745,12844709,,,,,,,38,122412057,20411825,,,,,,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-07-2015
11:18 PM
use LINE_BREAKER = to break your lines if it does not have default line breaking based on timestamp and new line.
Refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents for details
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-07-2015
05:39 PM
how are the events in the log file? Are these in separate lines? In other words, each event in a separate line? What's in your props.conf
Try adding the following to your props.conf
SHOULD_LINEMERGE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
athorat
Communicator
12-10-2015
03:35 PM
Thanks for the suggestion, but that did not work.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
