Solved: How does Splunk divide events?

sylim_splunk · ‎01-27-2015

There is an application putting SOAP logs, request and response, in a small delay of 0 ~10 secs into the log file - I want this to be indexed as a single event, but Splunk indexes it into 2 events - request and response separately. This doesn't always happen, but quite frequently. How can I achieve this?

sylim_splunk · ‎01-27-2015

This is not what Splunk can support. In order to get data indexed in a timely way, we presume an event is complete IF:
- The last character of the file is a newline
- The size of the file is not a multiple of 512 bytes
So if your app writes out a complete line and the stops, Splunk will break it.

View solution in original post

aakwah · ‎01-27-2015

Hello,

To do this put the following 2 lines in forwarder's props.conf:

SHOULD_LINEMERGE=true
MAX_EVENTS = 2

Regards,
Ahmed Elakwah

sylim_splunk · ‎01-27-2015

This is not what Splunk can support. In order to get data indexed in a timely way, we presume an event is complete IF:
- The last character of the file is a newline
- The size of the file is not a multiple of 512 bytes
So if your app writes out a complete line and the stops, Splunk will break it.

sylim_splunk · ‎11-13-2017

If there's a gap more than 3 seconds between each data flush, either by app or by OS the event will be indexed separately because of this behavior. To work around it increase the value of time_before_close to, like 10 secs.

[monitor://D:\LogFiles\Test]
time_before_close = 10

How does Splunk divide events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation