Missing GUID data in Splunk

[NBRAZ22]

What happened: Missing GUID data from EKS env to Splunk Cloud

What you expected to happen: Full GUID data.

How to reproduce it (as minimally and precisely as possible): SPL: index="" "10222185594_000001799fb6b0b8-5f88008d" sourcetype="kube:container:fpsservice-prod"

(Last 7 days)

Produces only 1 event entry:

These transactions should produce >30 events per transaction GUID

For example:

SPL:

index="" sourcetype="kube:container:fpsservice-prod" "10232207134_000001798298e21c-615d6e9f"

(last 7 days)

Produces 75 events:

Anything else we need to know?: For fuller detail, see Case 3050600.

Environment:

• Kubernetes version (use kubectl version):Unsure
• Ruby version (use ruby --version):Unsure
• OS (e.g: cat /etc/os-release):
• Splunk version:8.2.2203.4
• Splunk Connect for Kubernetes helm chart version:1.4.5
• Others:

[hvaghani221]

Hi @NBRAZ22, can you explain more regarding this issue?

[NBRAZ22]

Hi @NBRAZ22, can you explain more regarding this issue?

This issue seems similar to what would happen if the “MAX_EVENTS” value was not set to an appropriate value and therefore the event is split into separate events. Since a heavy Forwarder is not being used, where in Splunk Connect for Kubernetes can the “MAX_EVENTS” value be found and adjusted?

[hvaghani221]

There is no such config MAX_EVENTS for SCK. If want to enable multiline events, you need to add appropriate configurations. https://github.com/splunk/splunk-connect-for-kubernetes/blob/d68615833d27efa6acc6b97392ea606aa408ceba/helm-chart/splunk-connect-for-kubernetes/values.yaml#L246-L328

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 14 days since being marked as stale.