Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does Splunk divide events?

sylim_splunk
Splunk Employee
Splunk Employee
‎01-27-2015 03:30 PM

There is an application putting SOAP logs, request and response, in a small delay of 0 ~10 secs into the log file - I want this to be indexed as a single event, but Splunk indexes it into 2 events - request and response separately. This doesn't always happen, but quite frequently. How can I achieve this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎01-27-2015 03:35 PM

This is not what Splunk can support. In order to get data indexed in a timely way, we presume an event is complete IF:
- The last character of the file is a newline
- The size of the file is not a multiple of 512 bytes
So if your app writes out a complete line and the stops, Splunk will break it.

View solution in original post

Reply
Solved! Jump to solution

aakwah
Builder
‎01-27-2015 03:40 PM

Hello,

To do this put the following 2 lines in forwarder's props.conf:

SHOULD_LINEMERGE=true
MAX_EVENTS = 2

Regards,
Ahmed Elakwah

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎01-27-2015 03:35 PM

This is not what Splunk can support. In order to get data indexed in a timely way, we presume an event is complete IF:
- The last character of the file is a newline
- The size of the file is not a multiple of 512 bytes
So if your app writes out a complete line and the stops, Splunk will break it.

Reply
Solved! Jump to solution

sylim_splunk
Splunk Employee
Splunk Employee
‎11-13-2017 02:47 PM

If there's a gap more than 3 seconds between each data flush, either by app or by OS the event will be indexed separately because of this behavior. To work around it increase the value of time_before_close to, like 10 secs.

[monitor://D:\LogFiles\Test]
time_before_close = 10

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...