When I import some text with carriage return and line feed characters, I'm able to get data indexed in correct format. But when I export that same data, I get the following effect:
CR -> CR (ok)
LF -> LF (ok)
LF+CR -> LF+CR (ok) but
CR+LF -> LF (fail)
Why does Splunk remove the CR in CR+LF during export?
No, not quite yet. I expect it not to work. But I will test it after learning how to do that...
I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct.
I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works.
Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work.
My search command:
index=test | REX mode=SED "s/\r\n/?????/g"
The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part.
CR = \r LF = \n
sometimes \R is the similar to \r but i believe its shorthand for (\r OR \n OR \r\n)
A similar issue at Why are new events resulting from mvexpand picking up special characters when exporting to CSV and h...
Solved via -
That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters.
So maybe try
| fields _raw | table _raw
Have you tried exporting via rest?