Hi
I've index a 12MB file in splunk but have different between line of file and event of splunk
file = 114,475 lines
splunk = 104,475 events
file lines like this:
123456789|0123456789|0123456789|Tobe |Alex |
any idea?
Thanks
Also, check for blank lines.
Where did the line count for the file come from? Is it counting long lines as two (or more lines)?
@ITWhisperer 1- there are no blank line in file.
2-vi in linux show line numbers.
3-each line one event in splunk.
Hi @indeed_2000,
check if in the file you have some multiline event.
If not check the correct parsing of you events.
Ciao.
Giuseppe
@gcusello
1-there is no multiline event.
2- how check correctly events parsed?
Check (usually is possible with a quick view on events9 if there are more events containing the timestamp that usually is at the beginning of the file.
@gcusello as i write in post there is no timestamp in this file.
check if there's a common (in format) beginning of each raw, so you can identify it there are more raws merged in the same event.
@gcusello would you please tell me an example?
