- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk treating multiple lines as one event since ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk treating multiple lines as one event since they have the same timestamp
Hi,
I have the following events. You can see that the timestamps are the same to the second. Due to this Splunk seems to be treating them as one event. However, each is a discrete event. How can i have splunk treat them as discrete events?
9B4C74AF-24D5-45EC-B250-E0B3815F8744,twi1gjni2q.database.windows.net,: Database,DB Number Sessions,20,2013-03-22 02:48:17.003
F4FEF78F-FBEF-4201-B0B1-02B0221099C5,twi1gjni2q.database.windows.net,: Database,DB Network Internal Egress (KB),17740.686528,2013-03-22 02:48:17.030
0014E747-4BCB-4542-9B5B-A6D7CE9D0110,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (%),28.9451599121094,2013-03-22 02:48:17.997
D7448FB8-2CBB-4F54-B229-81E6BD3B604C,qa84z9y1vj.database.windows.net,: Database,DB Total Free Space (%),71.0548400878906,2013-03-22 02:48:18.013
D744C4C8-1C49-4075-A47F-19F0D6B04533,qa84z9y1vj.database.windows.net,: Database,DB Total Used Space (MB),296.3984375,2013-03-22 02:48:18.023
0A95EAE0-D7B9-428F-826E-0D4D6341CD2D,qa84z9y1vj.database.windows.net,: Database,DB Total Space Quota (MB),1024,2013-03-22 02:48:18.030
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sourabhguha,(amended from previous answer)
Have you set up a props.conf file for this data as you can add a config that will break each line up as a different.
I have just been testing with the data that you have and have been able to get it working by adding the TIME_PREFIX option to the props.conf and adding a comma, as listed below:
TIME_PREFIX=,
If this does not work, let me know what you props.conf file looks like and I would be glad to work on it further with you.
Regards Vince
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Vince, i did reindex my data with the option you suggested and it worked. thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sourabhguha, if you do reindex your data, I would be interested to know if it works or now?
Regards Vince
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Already indexed events cannot be altered in that respect. There are a few types of information that cannot (almost) be changed on already indexed data, e.g. timestamp, index, source, host, sourcetype, and in your case event-breaking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the response.
I did that, but it did not resolve the problem for existing events. Do I need to delete the data and re-import it into splunk for the fix to take effect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should also be looking to set TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD in props.conf
Also, you should benefit from setting SHOULD_LINEMERGE=false
/K
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
