Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple events from same indexed data

rantravee
Path Finder
‎10-02-2013 01:36 PM

I've written a script that polls a WebApi and after receiving the response streams the data into Splunk to be indexed . The response that is intended to be indexed is a large Json Object with more than 100 keys . I would aspect to see only one event after the script is runned containg the indexed json Object. Instead I see several events with the same timestamp ,each containing s subset of keys from the received Json Object. Is this correct ? Can there be something done so that the entire Json object belongs to the same event ?

I index the data into splunk through the following lines of code :

print jsonObject
sys.sdout.flush()

Thanks

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-02-2013 01:53 PM

Splunk's default event breaking behaviour unless you specify otherwise is to break into a new event whenever it finds a line with something it recognizes as a timestamp in. You can change this however you want by specifying other event breaking rules in props.conf. You could change the LINE_BREAKER so that Splunk doesn't consider something to be the end of the line unless it specifies your regex. I find this approach can often get messy though, even if it's the best option performance-wise. The other option is to change the line merging options - have a look at BREAK_ONLY_BEFORE_DATE, BREAK_ONLY_BEFORE, MUST_NOT_BREAK_AFTER etc.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...