I use *nix apps to monitor runnning processes. I found that the number of processes in splunk event does not match to the actual number of running processes. The splunk event represents 47 processes, but actually 97 processes are running.
I investigated this situation and it seems that splunk might abstract time stamp from ps command output (event text). So ps.sh output was divided to some events, though originally one event. A props.conf in *nix apps has "DATETIME_CONFIG = CURRENT" as following.
[ps]
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
The divided position is following
Image may be NSFW.
Clik here to view.
First event(time stamp is right)
Image may be NSFW.
Clik here to view.
Second event(time stamp is wrong)
Image may be NSFW.
Clik here to view.
splunkd.log
04-24-2013 09:25:12.132 +0900 WARN DateParserVerbose - Accepted time (Fri Oct 14 00:00:00 2016) is suspiciously far away from the previous event's time (Fri Apr 26 00:00:00 2013), but still accepted because it was extracted by the same pattern.
Why is this happened ? How to solve it ? I want to get all running processes as one event. How to recognize it as the single event ?
Thank you for your help.
