Hi there
- our customer have a custom app we cannot modify
- for each unique event, the app send a log with 2 or 3 lines
- each line have the same timestamp
- and nothing else is common (no "event id")
The result of default indexation :
- for each line splunk sees a different event
The result the customer is expecting :
- one event that merge all the lines with same timestamp
we are looking for a way to merge lines based on timestamp **at index time**
Someone got a recipe ?
Best regards
↧