For some reason splunk is combining multiple logs.
I am logging each time a user logs in for statistical reasons. I expected that in splunk I would get one line per log, such as the following:
TIMESTAMP user of type=1 has logged in
----------------------------
TIMESTAMP user of type=2 has logged in
----------------------------
TIMESTAMP user of type=3 has logged in
etc. where ------------- represents the separator between logs.
However, I am instead getting multiple logs being considered as one log, such as:
TIMESTAMP user of type=1 has logged in
TIMESTAMP user of type=2 has logged in
TIMESTAMP user of type=1 has logged in
-------------------------------
TIMESTAMP user of type=3 has logged in
TIMESTAMP user of type=3 has logged in
--------------------------
TIMESTAMP user of type=2 has logged in
TIMESTAMP user of type=1 has logged in
TIMESTAMP user of type=3 has logged in
TIMESTAMP user of type=1 has logged in
---------------------------------
The groupings are random and go from 1-6 per group. I need to be able to count how many logins per day. So answering any one of the following questions would be sufficient.
- Why is splunk "merging" my logs and how can I separate them?
- How can I timespan count based on lines rather than logs (and still maintain a count of each type)
- Is there a way I can extract multiple fields with the same key name in one log and count them all?
