https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186002#M37261 <P>splunk enterprise 6.1.1</P> <P>In search view on the Splunk search head web front end, as well as in table view in the email alerts, Splunk is not maintaining line breaks as in the original log.</P> Mon, 18 Aug 2014 20:56:11 GMT spsrasru 2014-08-18T20:56:11Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186002#M37261 <P>splunk enterprise 6.1.1</P> <P>In search view on the Splunk search head web front end, as well as in table view in the email alerts, Splunk is not maintaining line breaks as in the original log.</P> Mon, 18 Aug 2014 20:56:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186002#M37261 spsrasru 2014-08-18T20:56:11Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186003#M37262 <P>Can you post the original log samples and also explain where Splunk is not maintaining line breaks</P> Mon, 18 Aug 2014 21:17:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186003#M37262 strive 2014-08-18T21:17:50Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186004#M37263 <P>Other users are reporting the same thing since the upgrade to 6.1:<BR /> <A href="http://answers.splunk.com/answers/138053/line-breaks-being-removed-from-raw-data-in-email-alerts-after-upgrade-to-6-1.html">http://answers.splunk.com/answers/138053/line-breaks-being-removed-from-raw-data-in-email-alerts-after-upgrade-to-6-1.html</A></P> Tue, 14 Oct 2014 16:46:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186004#M37263 adamw 2014-10-14T16:46:41Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186005#M37264 <P>@adamw the link points to this question itself. This said, I have seen this before 6, too. Does it have to do with overload? I am under the impression that this tends to happen when volume is extremely high, although I do not have direct measurement.</P> Tue, 14 Oct 2014 16:54:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186005#M37264 yuanliu 2014-10-14T16:54:18Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186006#M37265 <P>@yuanliu sorry, copy and paste fail. Updated the link to the other question.</P> <P>The alert I see it on is one where the output in each _raw cell is around 20 lines. Under 6.0 it showed the _raw field in the table with the proper line breaks, but since our 6.1 upgrade, it ignores newlines in _raw and mashes all of the log data into one text blob.</P> <P>It still looks properly line break'ed in the search UI.</P> Tue, 14 Oct 2014 16:58:29 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186006#M37265 adamw 2014-10-14T16:58:29Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186007#M37266 <P>anyone have a solution/workaround for this issue?</P> Tue, 27 Jan 2015 12:49:07 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186007#M37266 maimonoded 2015-01-27T12:49:07Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186008#M37267 <P>Ciao,</P> <P>Please check my answer reported here:</P> <P><A href="https://answers.splunk.com/answers/494716/how-to-split-a-multi-line-raw-to-a-multivalue-with.html?childToView=733420#answer-733420">https://answers.splunk.com/answers/494716/how-to-split-a-multi-line-raw-to-a-multivalue-with.html?childToView=733420#answer-733420</A></P> <P>basically you can do in this way:</P> <PRE><CODE>your base search | rex max_match=0 "^(?&lt;lines&gt;.+)\n+" | eval raw2=mvindex(lines,0,-1) | table raw2 </CODE></PRE> <P>Best Regards,<BR /> Edoardo</P> Tue, 12 Mar 2019 16:03:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-maintaining-line-breaks-as-in-the-original-log/m-p/186008#M37267 edoardo_vicendo 2019-03-12T16:03:28Z