I'm having a problem where multiple events are getting combined into a single event and I haven't been able to figure out how to fix it.
For example, the following two events are being listed as one event by splunk:
I have a splunk forwarder sending data to my main splunk indexer. I'm using apps to specify the inputs/outputs for the forwarder.
The sourcetype for the data in question is kotr_logknight
On the indexer I have created a props.conf that contains:
SHOULD_LINEMERGE = false
My understanding is that this should disable line merging so that my events shouldn't get combined. However, it doesn't seem to affect the behavior at all.
(I also tried putting props.conf on the forwarder and in with the app, and neither of those seemed to make any difference either)
How can I track down what is happening during indexing to understand why the configuration setting doesn't seem to be doing what I expect?
... View more