Splunk combining multiple logs

Question

For some reason splunk is combining multiple logs.

I am logging each time a user logs in for statistical reasons. I expected that in splunk I would get one line per log, such as the following:

TIMESTAMP user of type=1 has logged in
----------------------------
TIMESTAMP user of type=2 has logged in
----------------------------
TIMESTAMP user of type=3 has logged in

etc. where ------------- represents the separator between logs.

However, I am instead getting multiple logs being considered as one log, such as:

TIMESTAMP user of type=1 has logged in
TIMESTAMP user of type=2 has logged in
TIMESTAMP user of type=1 has logged in
-------------------------------
TIMESTAMP user of type=3 has logged in
TIMESTAMP user of type=3 has logged in
--------------------------
TIMESTAMP user of type=2 has logged in
TIMESTAMP user of type=1 has logged in
TIMESTAMP user of type=3 has logged in
TIMESTAMP user of type=1 has logged in
---------------------------------

The groupings are random and go from 1-6 per group. I need to be able to count how many logins per day. So answering any one of the following questions would be sufficient.

Why is splunk "merging" my logs and how can I separate them?
How can I timespan count based on lines rather than logs (and still maintain a count of each type)
Is there a way I can extract multiple fields with the same key name in one log and count them all?

score 4 · Answer 1 · answered Sep 24 '14 at 03:14

1. You can refer to "Line breaking" in props.conf, you can try attributes like LINE_BREAKER , SHOULD_LINEMERGE, ...see : http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Propsconf

2. There are two approaches to do this. a. Use "bucket" command : ... | bucket _time span=5min | ... b. Use "timechart" or "chart" command with "span" parameter : ... | timechart span=5min

and then .... count it.

3. Multiple value in Splunk means that a field in an event has more than one values. I'm not sure what "extract multiple fields with the same key name in one log" means, Can you provide an example?

score 0 · Answer 2 · answered Apr 20 '14 at 11:54

0

1.I think the merging of the lines are happening based on common time stamps. Please let know the timestamps of the merged events.

2.And for timespan count of each type you should better have field named type and plot a timechart based on that field.

3.Yes you can.

answered Apr 20 '14 at 11:54

krish3

85
1
1
8

1. The timestamps are based on the minute and there are about 50 per minute. It does not merge by minute, the merge is random. 2. I did a timespan based on the field but it is only grabbing the first item from the log, not all of them. How do I do it on a per line bases? 3. Great, could you tell me how? – Nick Humrich Apr 21 '14 at 20:14
Okay im guessing the thing your are facing here is because of the time stamp is not extracted by splunk from the logs.. And also please post some sample data so i that i can use them.. And please confirm have you edited props.conf for extracting time stamp from the logs..? – krish3 Apr 22 '14 at 15:23
I dont care about extracting the timestamps. I only care about extracting on a PER LINE basis based on type. I couldn't care less about the timestamp. The sample data is in the question. Timestamp shouldn't matter so I am not going to provide that data. – Nick Humrich Apr 22 '14 at 17:05

Splunk combining multiple logs

2 Answers2