Solved: Why does a single, short json file create multiple...

shawny2005 · ‎02-08-2017

I have short json files that I am uploading via Splunk Forwarder, but when they go into my index, they are always 2 events. This breaks my searching. Attaching image so you can see what I mean. Any way to make sure that I get one event per json file?

I shortened the JSON file by 3 lines and now it uploads as a single event. Not sure why this is the case.

shawny2005 · ‎02-10-2017

I managed to solve it by, renaming the first element of the .json file. it was "comments": ""

that seems to have broken the parser for some reason. The first element was a "". Not sure why.

View solution in original post

shawny2005 · ‎02-10-2017

I managed to solve it by, renaming the first element of the .json file. it was "comments": ""

that seems to have broken the parser for some reason. The first element was a "". Not sure why.

satishsdange · ‎02-08-2017

please refer this post - https://answers.splunk.com/answers/227596/why-am-i-seeing-a-mismatch-between-key-value-and-c.html

shawny2005 · ‎02-09-2017

I think this is a different problem.

mpreddy · ‎02-08-2017

Can you post some sample data.

if you want to combine total json file in to single event Give a try using this property in props.conf

SHOULD_LINEMERGE= TRUE

shawny2005 · ‎02-09-2017

This is enabled True on defaults and I don't see any thing overriding it.

shawny2005 · ‎02-08-2017

http://imgur.com/a/LPpJr

shawny2005 · ‎02-08-2017

above is link to the way it looks in search.

Why does a single, short json file create multiple events in Splunk?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...