Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I remove extra newlines from my csv?

kinkdotcom
New Member
‎02-07-2012 11:40 AM

I have an alert set up that surfaces suspicious activity by ip addresses which triggers an extremely simple shell script that feeds ips to a separate webapp.

The _si field has a newline in it, which turns every other line in the script into garbage data. Is there any way to remove the newline or exclude some or all of the meta data from the csv output? I'd like to keep this as simple as possible; worst case scenario I can call another script, but I'd rather reduce the number of moving parts.

Tags (1)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎02-21-2012 11:24 AM

Hi Kinkdotcom,

There are a couple of different workarounds we can use that mostly deal with re-formatting the _si field.

For example you can include the following in the scheduled search to change _si="hostname\r\nindexname" to _si="hostname, indexname":

| rex field=_si "(?<siHostName>.*?)[\r\n](?<siIndexName>.*?)" | eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

Unfortunately, there is not really a good way to do this using props and transforms as we can not concatenate fields at that point. However, if you wanted to you could run the regex extracts with a props.conf line in the appropriate stanza and only use one eval in your search to provide the concatenation. This would look sort of like this;

#in props.conf
[<source|sourcetype|host>]
EXTRACT-myNew_si = (?<siHostName>.*?)[\r\n](?<siIndexName>.*?) in _si

then your search just needs to include the following eval;

| eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

This will help to shorten your search string a bit while maintaining the same fundamental extractions.

Finally, the reason for using the eval if() is to make sure not to add the comma separation when we have a blank index name value as this gets saved back to the _si field which is contained within $SPLUNK_ARG_8.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...