- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Replace all newlines anywhere (beginning, middle, ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replace all newlines anywhere (beginning, middle, end) on field
Hello all,
I have a field with data that looks like this:
The process has failed. Please review.
Dear Team
Please assign to Team
Process blah blah to blah blah
Please review logs.
Sincerely
Support
I want to remove all linebreaks like so:
The process has failed. Please review blah: Dear Team Please open a new Incident and assign to Team blah Submitted from 1928389112828 blah. Please review attached logs. Sincerely, Support.
I've tried sed to do it: | rex mode=sed field=description "s/(\n+)//g", but the output still has extra spaces at the beginning.
I've also tried trim(description) but it's giving me the same result.
Any help would be appreciated. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval description="The process has failed. Please review.
Dear Team
Please assign to Team
Process blah blah to blah blah
Please review logs.
Sincerely
Support"
| eval description=replace(description,"(?m)\s+"," ")
HI, @dojiepreji
try (?m)
cf. regex101
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use replace.
| makeresults
| eval description = "The process has failed. Please review.
Dear Team
Please assign to Team
Process blah blah to blah blah
Please review logs.
Sincerely
Support"
| eval description = replace(description, "\n\n", "")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're close - you need to change the regex in replace() from "\n\n" to "[\n\r\f]"
Then replace() will change any form of a newline to a blank.
Alternatively, you could do | eval description=replace(replace(description,"[\n\r\f]"," "),"\s{2,}"," ")
Which will replace newlines with a space, and then replace any sequential whitespace with a single space.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did not work. Nothing happened to my field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting the proper result. With above query I got below value for description:
The process has failed. Please review. Dear Team Please assign to Team Process blah blah to blah blah Please review logs. Sincerely Support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple line breaks before the line The process has failed.... This might be contributing as to why I'm not getting any changes.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
