I have 6 scripted inputs that use the same script, but with different arguments and I'm noticing that it's mixing the events. This seems to happen when the previous script instance finishes after the next has already started. When this happens, I'll see the first event come in with two timestamps (its own and the next) and the next event will have no time stamp at all 😞
I'm using the same source and sourcetype for the 6 script stanzas in inputs.conf. How can I make sure that Splunk keeps is able to distinguish between executions when parsing the events?
Hi romedome, this seems like it is a bug, and you probably should submit a support ticket to verify.
As to a more immediate workaround, a few options come to my mind:
Please let me know if this answers your question! (or helps in any way at least)
I think you might be right, this looks like it could be a bug. Yesterday I gave each exec stanza in the inputs.conf file a slightly different source value and it stopped mixing the output from the instances. I previously had 6 separate scripts but in an attempt to make this a more "elegant" solution I consolidated into a single script and this is when this issue reared it's head.