Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching for merged events in Splunk

nawazns5038
Builder
‎06-10-2019 03:35 PM

Hi,

I have found that there are some events in Splunk that are merged and it is on a random basis and in a huge dataset.

Can I please know if there is a way to find the events that are merged.

All the events are in JSON format.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nawazns5038
Builder
‎06-12-2019 01:43 PM

index=abcd | regex "}\n{"

The above query worked . It will search for merged events in JSON format.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nawazns5038
Builder
‎06-12-2019 01:43 PM

index=abcd | regex "}\n{"

The above query worked . It will search for merged events in JSON format.

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎06-11-2019 04:21 AM

Similar problem of merged events (not json though) will give you a good idea around the solution.
https://answers.splunk.com/answers/590914/need-some-help-with-event-breaks.html

Would be able to help more if you mention your sample events and the rules you have defined for them

0 Karma
Reply
Solved! Jump to solution

nawazns5038
Builder
‎06-11-2019 12:14 PM 
    {
      "hello": "hello",
      "colors": {
        "red": "red",
        "blue": "blue",
        "green": "green"
      }
    }

    {
      "num_of_books": {
        "one": "1 book",
        "other": "%{count} books"
      }
    }

Suppose I have the above two JSON objects which are indexed into a single event . Technically they should be in two separate events, only few objects on a random basis were merged. I have corrected the issue by modifying the props.conf .

I just want to know how many of these objects were merged instead of indexing into a single event,

how can we write a SPL query to identify the merged events.

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎06-10-2019 09:35 PM

@nawazns5038,

Take a look into below answer. Provide some sample data and explain what exactly the issue..

[https://answers.splunk.com/answers/124334/finding-the-field-difference-between-previous-event-and-cu...]

Thanks ..

0 Karma
Reply
Solved! Jump to solution

nawazns5038
Builder
‎06-11-2019 12:14 PM 
    {
      "hello": "hello",
      "colors": {
        "red": "red",
        "blue": "blue",
        "green": "green"
      }
    }

    {
      "num_of_books": {
        "one": "1 book",
        "other": "%{count} books"
      }
    }

Suppose I have the above two JSON objects which are indexed into a single event . Technically they should be in two separate events, only few objects on a random basis were merged. I have corrected the issue by modifying the props.conf .

I just want to know how many of these objects were merged instead of indexing into a single event,

how can we write a SPL query to identify the merged events.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...