I have inputs configured to allow for multiline events, representing groups of log lines. I'm then using it to build a very simple search:
eventtype=mlc sourcetype=log4j host=x | table _time message log_level
I would like to know what happens to the data when it gets displayed in a table - it seems that the line breaks are not preserved, but are converted into /s
. Is this correct? Is there any way I can preserve the line breaks? Or even just see the literal /n
character, or whatever it is.
Thanks,
John Raftery
You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.
Do it like this:
... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField
You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.
Do it like this:
... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField
Ah, that's working now. Thanks very much! I'm wondering, when you click on one of the lines in the multiValueField (when it's displayed in a table), is it possible to get just that line in a token? I would normally put something like this in the drilldown, but it captures the whole MV field:
<set token="message">$row.message$</set>
I'm an engineer, not a magician! Seriously, though, I suspect it is possible but don't do much custom drill-down. I would click Accept
on this answer and then post a new question "How can I drilldown on one value of a multiValue field?"
Fair enough. Thanks again.
Hi John, the table command doesn't offer anything in the way of formatting. Although the normal event viewer displays multiline events properly, once piping to table, the table command displays the fields without line breaks.
Please let me know if this answers your question 😄
Thanks. What I'd like to know is if there is a way to retain the line breaks. Is the answer is no (and based on your response it probably is), then will I be able to use "/n" to search my data? EG:
... | search message = "First line\nSecond line"
Sorry if my question is poorly worded - not easy to explain!