I have logs from a custom application being streamed into splunk usinig a unverisal forwarder. The probelem I have there is multiple lines with the same time. See below.
19:12:51.790,16526719,TCP,2,3404,2226
19:12:51.790,66870655,TCP,10,53743,355114
19:12:51.790,199246079,TCP,5,2937,5715
19:12:51.790,281972991,TCP,2,55722,43156
19:12:51.790,282382591,TCP,11,2458,11480
I have extracted the fields of there data using the props.conf and the transforms.com files however when I do a search by what we call Cust_id it only pulls out the information from the first line logged for a time stamp. In the above example it would only find Cust_id = 16526719
How can I adjust my query to find the Cust_id per every line that is indexed in Splunk?
... View more