Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple events from same indexed data

rantravee
Path Finder
‎10-02-2013 01:36 PM

I've written a script that polls a WebApi and after receiving the response streams the data into Splunk to be indexed . The response that is intended to be indexed is a large Json Object with more than 100 keys . I would aspect to see only one event after the script is runned containg the indexed json Object. Instead I see several events with the same timestamp ,each containing s subset of keys from the received Json Object. Is this correct ? Can there be something done so that the entire Json object belongs to the same event ?

I index the data into splunk through the following lines of code :

print jsonObject
sys.sdout.flush()

Thanks

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...