Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk GUI seperating event

Komal0113
Loves-to-Learn
‎11-01-2023 12:04 AM

From splunk user we are receiving logs but when it comes to Splunk search head its splitting into different events 

Expected log :

Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70 # Succeeded # Function:[Configuration Management][MML Command] PQR ME:; # 2023-10-26 09:37:51#

splunk dividing into two separate events

Oct 26 09:37:51 +02:00 10.191.248.38 -: Operation%%31051 # Minor # qaz# XYZ # 10.135.114.70  # Succeeded # Function:[Configuration Management][MML Command]

&

LST ME:; # 2023-10-26 09:37:51#

How can i resolve this cannot combine this two because getting seperate event not one after another 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2023 01:07 AM

1. Search head is the component which spawns searches against indexers which hold the already indexed data. So I assume you meant that you're sending data in some format but it's getting improperly split into events.

2. Sending raw tcp or udp data stream directly to a Splunk component is not the preferred way to go (for several reasons which I will not dig into at this point).

3. What do these events look like on the wire? I'm not 100% sure but I think they might get split at datagram boundary regardless of other settings.

4. Your "split" set of events contains a second event which is _not_a part of the original event. A typo in preparation of the mockup data?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-01-2023 12:26 AM

Hi @Komal0113 Some more details needed:

  • Can we have your Splunk Search Query pls (remove any hostname, ip address, etc from the search query)
  • Are you using HF or not
  • mostly the props/transforms causes this issue. can we have your props/transforms(only the portion responsible for this APP/add-on/TA is enough)
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

Komal0113
Loves-to-Learn
‎11-01-2023 12:32 AM

Hi @inventsekar

1) In splunk search query we are using index name for search 

2) Receiving logs via udp port

3) props conf

LINE_BREAKER = (\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
SHOULD_LINEMERGE = false


 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...