Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are events with equal timestamps merged into one event?

zapping575
Path Finder
‎02-14-2023 05:52 AM

I have a few files in which the log events happen to not be in chronological order.

Specifically, an event with say, timestamp "2022-01-01 11:00:00" may occur towards the top of the log, while a different event (with a different event message) with the same timestamp may occur towards the bottom of the log.

It is totally acceptable to have log events where the timestamps are exactly equal.

What splunk is doing however, is merging all of these "distributed" events together into one single event. This should not happen.

These are my config files:

 

 

props.conf
[mySourceType]
# example: 2022-07-01T23:53:54 2022-07-01T23:53:54                                                                 TIME_FORMAT = %Y-%m-%dT%H:%M:%S
REPORT-default = sourcefields-default

transforms.conf
[sourcefields-default]
SOURCE_KEY = source                                                                           REGEX = /files/(.*?)/(.*?)/(.*?)/(.*?)\-(.*)
FORMAT = field1::$1 field2::$2 field3::$3 field4::$4 field5::$5

 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 07:20 AM

Hi @zapping575,

try adding 

SHOULD_LINEMERGE = false

to you props.conf and this should be sufficient.

eventually add also to you props.conf:

TIME_PREFIX = ^

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 05:56 AM

Hi @zapping575,

could you share some sample of your logs that aren't separated?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

zapping575
Path Finder
‎02-14-2023 07:10 AM

Ciao @gcusello 

The timestamp of the events that are merged together (in this example) is

  • 2023-01-31 10:40:01

This is how the event in question appears in the original file (some entries truncated for clarity):

Note that the first occurrence of the timestamp in question is on the second line.

 

2023-01-31 10:39:58 message1
2023-01-31 10:40:01 message2
2023-01-31 10:40:08 message3
2023-01-31 10:40:08 message4
2023-01-31 10:40:00 some message
2023-01-31 10:40:01 some message in between
2023-01-31 10:40:01 some message in between
2023-01-31 10:40:01 some message in between
2023-01-31 10:40:01 message5
2023-01-31 10:40:01 message5

 

This listing illustrates how the single, merged event appears in splunk search (with the timestamp mentioned above).

 

2023-01-31 10:40:01 message2
2023-01-31 10:40:01 message5
2023-01-31 10:40:01 message5
2023-01-31 10:40:05 some message from later

 

Sharing the original data is difficult so I am hoping that this condensed version will suffice. There are no anomalies regarding missing newlines on any of the offending events.

Regards,

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 07:20 AM

Hi @zapping575,

try adding 

SHOULD_LINEMERGE = false

to you props.conf and this should be sufficient.

eventually add also to you props.conf:

TIME_PREFIX = ^

Ciao.

Giuseppe

Reply
Solved! Jump to solution

zapping575
Path Finder
‎02-14-2023 07:33 AM

Hi @gcusello 

I cannot make that change on the productive system right away. But I have a dev environment where I just tested it.

The search for index=index_in_question linecount > 1 now returns zero results, so this solved the problem.

Thank you.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2023 07:35 AM

Hi @zapping575,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...