- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to stop line breaking twice? First line feed i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my environment the following servers exist.
windows 2012 R2
Splunk 6.5.2
On this server, when trying to export logs in csv format on Splunk web, the line breaking twice and outputted with blank line between each line.
I suspected a misconfiguration of a specific log, but even if I exported _internal log, a line breaking was done.
After converting it to binary format and confirming it, I found that the first line feed was done in CR format and the second line feed seemed to be done in CRLF format.
I think that it caused by reconverting only the LF part of the line feed in CRLF format into CRLF again.
I predicted that the following phenomena might be occurring.
_raw ~ CRLF (* At this time still a single line break)
_raw ~ CR CRLF (* LF is converted to CRLF, and the number of line feeds is twice.)
Is this a known issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When outputting CSV, if the following wording or similar wording is displayed on the bottom line of the box for entering the file name, a blank line is inserted after each line.
"Re-execute the search statement"
Also, the CSV output of the search head and the indexer has a difference between the role (search head and indexer).
When in the indexer, output result exceeds a certain number (eg 1000), this wording is displayed, but in the search head this wording is displayed irrespective of the number of output result.
Since it is the current specification, it can not be solved by setting change.
As a workaround, by using the "table" command to specify the required columns, it is possible to avoid inserting empty lines
Example)
index=_internal | table _time _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When outputting CSV, if the following wording or similar wording is displayed on the bottom line of the box for entering the file name, a blank line is inserted after each line.
"Re-execute the search statement"
Also, the CSV output of the search head and the indexer has a difference between the role (search head and indexer).
When in the indexer, output result exceeds a certain number (eg 1000), this wording is displayed, but in the search head this wording is displayed irrespective of the number of output result.
Since it is the current specification, it can not be solved by setting change.
As a workaround, by using the "table" command to specify the required columns, it is possible to avoid inserting empty lines
Example)
index=_internal | table _time _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Likewise, I tried with two Splunks built on windows 2012 R2.
One side, when I export only a small number of results such as 200 to 300, there is no line feed, but when I export about 10000 result counts, there is line feed!
On the other hand, no line breaks were made even with more than 30000 result counts.
I think that it isn't caused by setting, it seems to be malfunctioning.
Does anyone know something?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
