Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk data doesn't split correctly

zhoayang
Engager
‎01-27-2022 11:31 PM

Hi Splunk team, 

When I used Splunk to search the log data and found it didn't split correctly, It displayed as below:

zhoayang_0-1643354979552.png

The two data have been combined together, Can anyone has some suggestions do this situation? appreciate it.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 11:36 PM

Hi @zhoayang,

could you share some sample of your original logs (not the oned displayed in Splunk search)?

please one of the event correctly parsed and one of the event not correctly parsed.

Anyway, in Community you can find many examples of JSON parsing e.g. https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-log-data/m-p/121521.

Ciao.

Giuseppe

Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2022 02:15 AM

It looks like a problem with LINE_BREAKER in props.conf. (See Configure event line breaking.)  By default Splunk indexer assumes "([\r\n]+)", i.e., a new line, to be the separator of events.  But some logs seem to have jammed into a single line.  There is no universal regex to break non-hierarchical structures like JSON.  So, it is best to ask developers to break events neatly.  If developers can guarantee that the first field is always "namespace" as in illustrated examples, you can try ([\r\n]+|}{"namespace":).

There is a dedicated forum Getting Data In in which this type of issues are discussed.

Tags (2)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...