<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: multiple lines in saved search in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44306#M8269</link>
    <description>&lt;P&gt;Further testing found another problem:&lt;/P&gt;

&lt;P&gt;the 'rename' command does not work this way.  It is not deprecated, but it breaks the search if I put following two lines in my search:&lt;/P&gt;

&lt;P&gt;rename aaa as bbb \&lt;/P&gt;

&lt;P&gt;| other search conditions&lt;/P&gt;

&lt;P&gt;So, I have to put at least one other command following 'rename' in the same line:&lt;/P&gt;

&lt;P&gt;rename aaa as bbb | other search conditions&lt;/P&gt;</description>
    <pubDate>Tue, 08 May 2012 22:51:10 GMT</pubDate>
    <dc:creator>tonopahtaos</dc:creator>
    <dc:date>2012-05-08T22:51:10Z</dc:date>
    <item>
      <title>multiple lines in saved search</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44303#M8266</link>
      <description>&lt;P&gt;Hi, &lt;/P&gt;

&lt;P&gt;my saved search is very long.  I want to put it in savedsearches.conf in multiple lines escaped through \&lt;/P&gt;

&lt;P&gt;this is my search lines:&lt;/P&gt;

&lt;P&gt;search = (sourcetype=syslog) \&lt;/P&gt;

&lt;P&gt;| search NOT "DEBUG" \&lt;/P&gt;

&lt;P&gt;| transaction host user maxspan=2s maxpause=2s \&lt;/P&gt;

&lt;P&gt;| convert timeformat="...." ctime(_ctime) as time \&lt;/P&gt;

&lt;P&gt;| (lots of more lines....)&lt;/P&gt;

&lt;P&gt;This seems working unless I add 'convert' into my search.  It breaks the whole search.  Once I change everything to one line (by removing escape \ and \n), everything goes back to normal.&lt;/P&gt;

&lt;P&gt;Is this a bug in somewhere in Splunk code? Why 'convert' is different?&lt;/P&gt;

&lt;P&gt;Thanks &lt;/P&gt;</description>
      <pubDate>Sat, 05 May 2012 00:09:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44303#M8266</guid>
      <dc:creator>tonopahtaos</dc:creator>
      <dc:date>2012-05-05T00:09:00Z</dc:date>
    </item>
    <item>
      <title>Re: multiple lines in saved search</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44304#M8267</link>
      <description>&lt;P&gt;The &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert"&gt;Search Reference topic on convert&lt;/A&gt; notes that it "is mostly deprecated, and its functionality has been re-worked as &lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/CommonEvalFunctions"&gt;functions of the eval command&lt;/A&gt; such as &lt;CODE&gt;strftime()&lt;/CODE&gt;, &lt;CODE&gt;strptime()&lt;/CODE&gt;, or &lt;CODE&gt;tostring()&lt;/CODE&gt;." Have you tried using &lt;CODE&gt;eval&lt;/CODE&gt; instead?&lt;/P&gt;</description>
      <pubDate>Sun, 06 May 2012 15:12:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44304#M8267</guid>
      <dc:creator>ChrisG</dc:creator>
      <dc:date>2012-05-06T15:12:52Z</dc:date>
    </item>
    <item>
      <title>Re: multiple lines in saved search</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44305#M8268</link>
      <description>&lt;P&gt;this is exact the problem was.  thank you very much.&lt;/P&gt;</description>
      <pubDate>Sun, 06 May 2012 23:37:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44305#M8268</guid>
      <dc:creator>tonopahtaos</dc:creator>
      <dc:date>2012-05-06T23:37:20Z</dc:date>
    </item>
    <item>
      <title>Re: multiple lines in saved search</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44306#M8269</link>
      <description>&lt;P&gt;Further testing found another problem:&lt;/P&gt;

&lt;P&gt;the 'rename' command does not work this way.  It is not deprecated, but it breaks the search if I put following two lines in my search:&lt;/P&gt;

&lt;P&gt;rename aaa as bbb \&lt;/P&gt;

&lt;P&gt;| other search conditions&lt;/P&gt;

&lt;P&gt;So, I have to put at least one other command following 'rename' in the same line:&lt;/P&gt;

&lt;P&gt;rename aaa as bbb | other search conditions&lt;/P&gt;</description>
      <pubDate>Tue, 08 May 2012 22:51:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-lines-in-saved-search/m-p/44306#M8269</guid>
      <dc:creator>tonopahtaos</dc:creator>
      <dc:date>2012-05-08T22:51:10Z</dc:date>
    </item>
  </channel>
</rss>

