Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is linecount 2 when it's clearly 1?

danielbb
Motivator
4 weeks ago

For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?

Labels (4)
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
3 weeks ago

Hi @danielbb 

Please could you share a sample event and screenshot of this so we try and repeat this issue and/or diagnose?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

danielbb
Motivator
3 weeks ago

Thank you, @livehybrid@richgalloway, I'll get screenshots but, a related question, how do I access the second line of _raw?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
In splunk _raw is only one line, but it can contains e.g. \n character.
You could see it e.g. “table _raw”
Reply

danielbb
Motivator
3 weeks ago

@isoutamo  I'm running the following - 

index = <my_index> linecount=2
| table _raw

and everything shows up as one line, I don't see any sign of \n, what do I miss? 

I also checked with an encoding tool and it doesn't show either the 13 ascii code or the 10 one within these lines. 

My biggest confusion is the fact that for this sourcetype I have -  

SHOULD_LINEMERGE=FALSE

And therefore, how come, sometimes the events have multiple lines? 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
Hoe you have defined line breaking?
Reply

danielbb
Motivator
3 weeks ago

I came across an identical thread at Re: How does Splunk calculate linecount? - Splunk Community

0 Karma
Reply

livehybrid
Super Champion
3 weeks ago

Hi @danielbb 

It could be something like a field extraction happening after the line breaking which is causing this, or something else. Without access to your instance we could do with seeing some sample logs along with a btool output ($SPLUNK_HOME/bin/splunk btool props list <sourceTypeName>) for your event's sourcetype. 

The thread you posted from 2013 looks like could have been related to the events having a line-break in.

Please let us know if you're able to provide a sample + props output. 

Thanks

Reply

richgalloway
SplunkTrust
SplunkTrust
4 weeks ago

Example?  Screenshot?

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
OSZAR »