Splunk Search

Having issue with multiple events in tier3

srinivas_gowda
Path Finder

Hello team,

I am facing an issue with multiple events getting merged as a single event in tier 3. I do not have this issue with tier 1 or when I manually run the saved search. However when the saved search runs at a scheduled time these multiple events gets merged as 1 single event.

I even tried adding the below values in props.conf of Data App but did not help

[sourcetype::_json]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s\+\d{4}

 

Below is how the event in tier 3 is like:
03/28/2024 10:35:00 +0000,search_now=1711622100.000000000,source_host="1.1.1.1 : ip-sample_ip.ec2.internal",metric_label="Port_Connectivity : Reporting no data",instance="Port : 45",metric_value="0",metric_unit="latest",alert_value="100",tower="Port reporting no data",threshold1="-2",threshold2="-1",threshold3="0.5",threshold4="0.5",blacklist_alerts="1",add_info="Time=1711622100.000000;!@#;state=offline;!@#;message=NA;!@#;protocol=NA;!@#;responsetext=NA;!@#;responsetime=1711622100.000000;!@#;returncode=NA;!@#;roundtriptime=NULL;!@#;service_name=NA;!@#;app_context=port_data"03/28/2024 10:35:00 +0000,search_now=1711622100.000000000,source_host="1.1.1.1 : ip-sample_ip.ec2.internal",metric_label="Port_Monitoring : Port_Status",instance="Port : 45",metric_value="201",metric_unit="Status",alert_value="100",tower="Infra",threshold1="0",threshold2="0",threshold3="300",threshold4="500",blacklist_alerts="1",add_info="Time=2024-03-28T10:33:48Z;!@#;state=reachable;!@#;message=reachable;!@#;protocol=UDP;!@#;responsetext=/bin/sh: line 1: nc: command not found;!@#;responsetime=na;!@#;returncode=0;!@#;roundtriptime=NULL;!@#;service_name=IMP;!@#;app_context=port_data"03/28/2024 10:35:00 +0000,search_now=1711622100.000000000,source_host="127.0.0.1 : ip-sample_ip.ec2.internal",metric_label="Port_Connectivity : Reporting no data",instance="Port : 3389",metric_value="0",metric_unit="latest",alert_value="100",tower="Port reporting no data",threshold1="-2",threshold2="-1",threshold3="0.5",threshold4="0.5",blacklist_alerts="1",add_info="Time=1711622100.000000;!@#;state=offline;!@#;message=NA;!@#;protocol=NA;!@#;responsetext=NA;!@#;responsetime=1711622100.000000;!@#;returncode=NA;!@#;roundtriptime=NULL;!@#;service_name=NA;!@#;app_context=port_data"




Every event will end at "app_context=port_data"" to be exact.

Please let me know how to resolve this.

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The problem appears to stem from missing newlines before the timestamps.  Try these props.conf settings:

[sourcetype::_json]
SHOULD_LINEMERGE = false
LINE_BREAKER = app_context=port_data"([\r\n]*)\d{2}\/\d{2}\/\d{4}
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...