I changed my
props.conf a while ago so that
SHOULD_LINEMERGE=false, and since then, I've gotten my desired result—one log line for one event.
However, whenever I output my search to a CSV file, it still contains the events that were indexed prior to me changing the
props.conf. These events still have multiple log lines under a single timestamp.
Is there any way to tell Splunk to retroactively break up those indexed events into their own separate events? Or at least output to a CSV that has one event = one line?
source=... | eval _raw = replace(_raw,"\\\n","#") | makemv delim="#" _raw | stats values(_time) as _time values(timestamp) as timestamp by _raw | fields _raw _time timestamp | table _raw _time timestamp
this is workaround.
I tried this and I still get the same amount of events, whereas the number of events should increase--does this mean that once events are indexed by Splunk, they can't be separated into smaller events?
This is what my local props.conf looks like:
Ah, that's a shame, I don't have the older logs anymore. Thank you so much for your help though, I really appreciate it. I think I'll just try and write a script to manually separate those events. Thanks again!