Hi,
I have the following events. You can see that the timestamps are the same to the second. Due to this Splunk seems to be treating them as one event. However, each is a discrete event. How can i have splunk treat them as discrete events?
9B4C74AF-24D5-45EC-B250-E0B3815F8744,twi1gjni2q.database.windows.net,: Database,DB Number Sessions,20,2013-03-22 02:48:17.003
F4FEF78F-FBEF-4201-B0B1-02B0221099C5,twi1gjni2q.database.windows.net,: Database,DB Network Internal Egress (KB),17740.686528,2013-03-22 02:48:17.030
0014E747-4BCB-4542-9B5B-A6D7CE9D0110,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (%),28.9451599121094,2013-03-22 02:48:17.997
D7448FB8-2CBB-4F54-B229-81E6BD3B604C,qa84z9y1vj.database.windows.net,: Database,DB Total Free Space (%),71.0548400878906,2013-03-22 02:48:18.013
D744C4C8-1C49-4075-A47F-19F0D6B04533,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (MB),296.3984375,2013-03-22 02:48:18.023
0A95EAE0-D7B9-428F-826E-0D4D6341CD2D,qa84z9y1vj.database.windows.net,: Database,DB Total Space Quota (MB),1024,2013-03-22 02:48:18.030
Hi sourabhguha,(amended from previous answer)
Have you set up a props.conf file for this data as you can add a config that will break each line up as a different.
I have just been testing with the data that you have and have been able to get it working by adding the TIME_PREFIX option to the props.conf and adding a comma, as listed below:
TIME_PREFIX=,
If this does not work, let me know what you props.conf file looks like and I would be glad to work on it further with you.
Regards Vince
hi Vince, i did reindex my data with the option you suggested and it worked. thanks for your help!
Hi sourabhguha, if you do reindex your data, I would be interested to know if it works or now?
Regards Vince
No. Already indexed events cannot be altered in that respect. There are a few types of information that cannot (almost) be changed on already indexed data, e.g. timestamp, index, source, host, sourcetype, and in your case event-breaking
thanks for the response.
I did that, but it did not resolve the problem for existing events. Do I need to delete the data and re-import it into splunk for the fix to take effect
You should also be looking to set TIME_FORMAT
and MAX_TIMESTAMP_LOOKAHEAD
in props.conf
Also, you should benefit from setting SHOULD_LINEMERGE=false
/K