I think i should check raw data in the above snip labelled as together on the server where it's getting generated couz , if you see the merged events they are exactly same. That is the first thing and secondly, if you would notice timestamps of the merged lines in merged events , they are chronological. If I am correct it should be reverse chronological from top to bottom. I therefore, think those merged lines are not separate lines with timestamps rather they are part of the very first line and Probably that is why splunk is putting them all together into one event with timestamps in increasing order. Well if that is so then how could the next unique event above the merged one have smaller timestamp? And that is why I suppose I need to check the order of lines with timestamps in rawdata on server itself. Furthermore, why are there duplicate merged events. That is another question to be answered. 😁 Please correct me if i am wrong.
... View more