Splunk Http appender is logging 2 entries for longer http requests. The first has the headers and the second has the body (a Soap envelope in our case). The log entries are separated by about 5 milliseconds. Is there any way to force Splunk to keep the entire request in a single log entry? The odd thing is we do not see this behavior for http responses - they always appear in a single entry no matter the size.
↧