I have short json files that I am uploading via Splunk Forwarder, but when they go into my index, they are always 2 events. This breaks my searching. Attaching image so you can see what I mean. Any way to make sure that I get one event per json file?
I shortened the JSON file by 3 lines and now it uploads as a single event. Not sure why this is the case.
I managed to solve it by, renaming the first element of the .json file. it was "comments": ""
that seems to have broken the parser for some reason. The first element was a "". Not sure why.
I managed to solve it by, renaming the first element of the .json file. it was "comments": ""
that seems to have broken the parser for some reason. The first element was a "". Not sure why.
please refer this post - https://answers.splunk.com/answers/227596/why-am-i-seeing-a-mismatch-between-key-value-and-c.html
I think this is a different problem.
Can you post some sample data.
if you want to combine total json file in to single event Give a try using this property in props.conf
SHOULD_LINEMERGE= TRUE
This is enabled True on defaults and I don't see any thing overriding it.
above is link to the way it looks in search.