https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38352#M7057 <P>Snark alert! The + on the [class] is unnecessary.</P> Wed, 13 Nov 2013 23:42:29 GMT jrodman 2013-11-13T23:42:29Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38350#M7055 <P>Windows event logs are being picked up by Universal Forwarder v5 and sent to an Indexer v5.</P> <P>I'm trying to forward these events to a third party for analysis. I've followed the instructions <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd">here</A> and have events hitting my third party server on UDP 514.</P> <P>Tcpdump shows the data contains newline characters. For example: ...\nLogName=Security\nSourceName=Security\n</P> <P>It appears that UF picks up the newlines from the windows event log, and the built-in sourcetype creates multi-line events. But my third party server does not handle multi-line events in syslog correctly.</P> <P>Is there any way to have Splunk escape/replace the newlines in the event with some other character or pattern prior to sending them to the third party over syslog?</P> Mon, 19 Aug 2013 02:30:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38350#M7055 ringm 2013-08-19T02:30:36Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38351#M7056 <P>The windows events logs are multiline events in Splunk.</P> <P>There are no method to format the events when they are being forwarded. So the only options are :</P> <UL> <LI><P><STRONG>bypass splunk</STRONG><BR /> collect the windows logs as syslog and send them directly to your device. (see snare and other tools)</P></LI> <LI><P><STRONG>format the events at indextime using SEDCMD</STRONG>.<BR /> Collect the events with splunk, and remove the linebreaking characters at index time.<BR /> The events will be forwarded as single line.<BR /> But in splunk, they will lose the default formatting, and some field extractions may fail.<BR /> It will have a performance cost at index time to apply the sed command.</P></LI> </UL> <P>Disclaimer : <EM>This method is a workaround and the events may not be suitable for splunk existing apps and analytics.</EM></P> <P>Here is a method in props.conf for the indexers (and heavy forwarder) to achieve it for every windows events logs.</P> <P><CODE>[source::*WinEventLog*] <BR /> SEDCMD= s/[\n\r]/ /g<BR /> # remove all the line breaks<BR /> </CODE></P> Wed, 13 Nov 2013 21:59:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38351#M7056 yannK 2013-11-13T21:59:00Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38352#M7057 <P>Snark alert! The + on the [class] is unnecessary.</P> Wed, 13 Nov 2013 23:42:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38352#M7057 jrodman 2013-11-13T23:42:29Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38353#M7058 <P>thanks jrod, answer edited</P> Thu, 14 Nov 2013 00:09:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-escape-linefeed-newline-characters-when-forwarding/m-p/38353#M7058 yannK 2013-11-14T00:09:52Z