|
I have 2 scripted inputs running on the same interval - Sometimes, the output from both scripts will appear in the same event, is it because they both run at the same time? |
|
No, it's nothing to do with the interval. A known issue in Splunk will see that both input streams has the same host, source and sourcetype values, so it gets confused and mixes up the streams. An easy workaround is to change the 'source' value for one of the scripts, so that they can be easily distinguished. Is this really a bug? Considering that scripted inputs could be long-running scripts. In that case, I would want the lines from such scripts (e.g., maybe they do the same thing, but collect data from different users or databases) to be interleaved as they are produced by the script.
(19 Feb '10, 06:22)
gkanapathy ♦
2
Well it seems unlikely that you would want the output of multiple scripts to be merged into a single event. From a flexibility perspective it seems non-awful to have the aggregator in charge of splitting out the events, but it's still confusing. They should become part of the same stream of events, but be discrete.
(19 Feb '10, 19:17)
jrodman ♦
|
|
Mick, can this same situation also happen for regular file inputs too? For example, say there's a directory full of log files (written to concurrently by multiple processes), and the following Since all files in this directory would be given the exact same BTW, sorry for asking a follow up question on your question. I was going to just add a comment, but figured that it would be better to fully explain the question, and there's just not enough room in a single comment... No problem Lowell, I don't think so, as I'm pretty sure the new tailing processor is smart enough to keep events from separate files apart. If you do see it happening, its a bug we'll want to fix
(19 Oct '10, 18:51)
Mick ♦
Thanks for the update. Perhaps I'll tests this on a test splunk instance when I get a chance.
(20 Oct '10, 14:40)
Lowell ♦
|
