Splunk Search

Splunk treating multiple lines as one event since they have the same timestamp



I have the following events. You can see that the timestamps are the same to the second. Due to this Splunk seems to be treating them as one event. However, each is a discrete event. How can i have splunk treat them as discrete events?

9B4C74AF-24D5-45EC-B250-E0B3815F8744,twi1gjni2q.database.windows.net,: Database,DB Number Sessions,20,2013-03-22 02:48:17.003
F4FEF78F-FBEF-4201-B0B1-02B0221099C5,twi1gjni2q.database.windows.net,: Database,DB Network Internal Egress (KB),17740.686528,2013-03-22 02:48:17.030
0014E747-4BCB-4542-9B5B-A6D7CE9D0110,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (%),28.9451599121094,2013-03-22 02:48:17.997
D7448FB8-2CBB-4F54-B229-81E6BD3B604C,qa84z9y1vj.database.windows.net,: Database,DB Total Free Space (%),71.0548400878906,2013-03-22 02:48:18.013
D744C4C8-1C49-4075-A47F-19F0D6B04533,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (MB),296.3984375,2013-03-22 02:48:18.023
0A95EAE0-D7B9-428F-826E-0D4D6341CD2D,qa84z9y1vj.database.windows.net,: Database,DB Total Space Quota (MB),1024,2013-03-22 02:48:18.030

Tags (1)
0 Karma


Hi sourabhguha,(amended from previous answer)

Have you set up a props.conf file for this data as you can add a config that will break each line up as a different.

I have just been testing with the data that you have and have been able to get it working by adding the TIME_PREFIX option to the props.conf and adding a comma, as listed below:

If this does not work, let me know what you props.conf file looks like and I would be glad to work on it further with you.

Regards Vince


hi Vince, i did reindex my data with the option you suggested and it worked. thanks for your help!

0 Karma


Hi sourabhguha, if you do reindex your data, I would be interested to know if it works or now?
Regards Vince

0 Karma

Ultra Champion

No. Already indexed events cannot be altered in that respect. There are a few types of information that cannot (almost) be changed on already indexed data, e.g. timestamp, index, source, host, sourcetype, and in your case event-breaking

0 Karma


thanks for the response.

I did that, but it did not resolve the problem for existing events. Do I need to delete the data and re-import it into splunk for the fix to take effect

0 Karma

Ultra Champion

You should also be looking to set TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in props.conf

Also, you should benefit from setting SHOULD_LINEMERGE=false


0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...