Getting Data In

What is the best way to display a payload with line breaks for better readability in Splunk Web?

ram_85
Explorer

I want to display the payload with line breaks for better readability on Splunk Web.

Splunk receives the payload as a stream of data with no line breaks which results in a continuous text. So we included a unique string at the end of the line before sending to Splunk. We are trying to replace the unique string 
     with line breaks so that it will helps the with the readability. Will LINE_BREAKER work for this?

Current:


    Exception in thread "main" java.lang.NullPointerException
    at com.example.myproject.Book.getTitle(Book.java:16)
    at com.example.myproject.Author.getBookTitles(Author.java:25)
    at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
    
    

Expected:

Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
0 Karma
1 Solution

ram_85
Explorer

This works for me.

| rex mode=sed "s/ /\n/g"

View solution in original post

0 Karma

ram_85
Explorer

This works for me.

| rex mode=sed "s/ /\n/g"

0 Karma

ram_85
Explorer

Rex mode command works and I am assuming SEDCMD will also work. I am worried about the performance. Will there be any impacts on the performance if SEDCMD command is used?

rex mode=sed "s/ /\n/g"
SEDCMD-breaklinekpaths=s/ /\n/g

0 Karma

bmacias84
Champion

Should be too bad, but this seem to be your only option.

0 Karma

bmacias84
Champion

LINE_BREAKER is intended to create new events which I doubt you want each line to be a separate Splunk event. Why is your log inserting characters as HTML entities? I think the best way would be to use sed to convert all the html entities or build a Splunk command.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...