Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I remove extra newlines from my csv?

kinkdotcom
New Member
‎02-07-2012 11:40 AM

I have an alert set up that surfaces suspicious activity by ip addresses which triggers an extremely simple shell script that feeds ips to a separate webapp.

The _si field has a newline in it, which turns every other line in the script into garbage data. Is there any way to remove the newline or exclude some or all of the meta data from the csv output? I'd like to keep this as simple as possible; worst case scenario I can call another script, but I'd rather reduce the number of moving parts.

Tags (1)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎02-21-2012 11:24 AM

Hi Kinkdotcom,

There are a couple of different workarounds we can use that mostly deal with re-formatting the _si field.

For example you can include the following in the scheduled search to change _si="hostname\r\nindexname" to _si="hostname, indexname":

| rex field=_si "(?<siHostName>.*?)[\r\n](?<siIndexName>.*?)" | eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

Unfortunately, there is not really a good way to do this using props and transforms as we can not concatenate fields at that point. However, if you wanted to you could run the regex extracts with a props.conf line in the appropriate stanza and only use one eval in your search to provide the concatenation. This would look sort of like this;

#in props.conf
[<source|sourcetype|host>]
EXTRACT-myNew_si = (?<siHostName>.*?)[\r\n](?<siIndexName>.*?) in _si

then your search just needs to include the following eval;

| eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

This will help to shorten your search string a bit while maintaining the same fundamental extractions.

Finally, the reason for using the eval if() is to make sure not to add the comma separation when we have a blank index name value as this gets saved back to the _si field which is contained within $SPLUNK_ARG_8.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...