Solved: What character is Splunk using for line breaks in ...

johnraftery · ‎03-01-2016

I have inputs configured to allow for multiline events, representing groups of log lines. I'm then using it to build a very simple search:

eventtype=mlc sourcetype=log4j host=x | table _time message log_level

I would like to know what happens to the data when it gets displayed in a table - it seems that the line breaks are not preserved, but are converted into /s. Is this correct? Is there any way I can preserve the line breaks? Or even just see the literal /n character, or whatever it is.

Thanks,
John Raftery

woodcock · ‎03-01-2016

You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.

Do it like this:

... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField

View solution in original post

woodcock · ‎03-01-2016

You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.

Do it like this:

... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField

johnraftery · ‎03-03-2016

Ah, that's working now. Thanks very much! I'm wondering, when you click on one of the lines in the multiValueField (when it's displayed in a table), is it possible to get just that line in a token? I would normally put something like this in the drilldown, but it captures the whole MV field:

          <set token="message">$row.message$</set>

woodcock · ‎03-03-2016

I'm an engineer, not a magician! Seriously, though, I suspect it is possible but don't do much custom drill-down. I would click Accept on this answer and then post a new question "How can I drilldown on one value of a multiValue field?"

johnraftery · ‎03-04-2016

Fair enough. Thanks again.

muebel · ‎03-01-2016

Hi John, the table command doesn't offer anything in the way of formatting. Although the normal event viewer displays multiline events properly, once piping to table, the table command displays the fields without line breaks.

Please let me know if this answers your question 😄

johnraftery · ‎03-01-2016

Thanks. What I'd like to know is if there is a way to retain the line breaks. Is the answer is no (and based on your response it probably is), then will I be able to use "/n" to search my data? EG:

... | search message = "First line\nSecond line"

johnraftery · ‎03-01-2016

Sorry if my question is poorly worded - not easy to explain!

What character is Splunk using for line breaks in a multiline event?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk