https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676994#M231504 <P>The <FONT face="courier new,courier">rex</FONT> command can either extract fields from an event or replace text in an event.&nbsp; In this case, <FONT face="courier new,courier">mode=sed</FONT> tells it to replace text.&nbsp; The <FONT face="courier new,courier">field=summary</FONT> option restricts the command to the contents of the summary field.</P><P>The quoted string is the sed command to execute.&nbsp; The 's' represents the substitute command.&nbsp; The part after the first slash is a regular expression.&nbsp; It says to look for the string "<FONT face="courier new,courier">from '</FONT>" followed by any number of additional characters (.*).&nbsp; The parentheses create a group we'll refer back to later.&nbsp; The part after the next slash is the replacement text.&nbsp; It puts the "from" back, adds a newline character (\n), then adds the remainder of the original text (the group from part 1).</P><P>To read more about rex, see the Search Reference manual.&nbsp; <A href="https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Rex" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Rex</A></P> Thu, 08 Feb 2024 18:40:18 GMT richgalloway 2024-02-08T18:40:18Z https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676747#M231433 <P>Hi All,</P><P>I have a field called summary in my search -</P><LI-CODE lang="markup">Failed backup of the transaction log for SQL Server database 'model' from 'WSQL040Q.tkmaxx.tjxcorp.net\\MSSQLSERVER'.</LI-CODE><P>I am creating this search for service-now alert and I am sending this summary field value under comments in ServiceNow.</P><P>I need it to break in two lines like this -</P><P>Line1-Failed backup of the transaction log for SQL Server database 'model' from<BR />Line2-'WSQL040Q.tkmaxx.tjxcorp.net\\MSSQLSERVER'.</P><P>&nbsp;</P><P>How do I implement this in my Search?</P><P>Thanks In Advance!</P> Tue, 06 Feb 2024 14:19:57 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676747#M231433 man03359 2024-02-06T14:19:57Z https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676752#M231435 <P>If SNOW will interpret a newline character as dividing the field into two lines then this may work.</P><LI-CODE lang="markup">| rex field=summary mode=sed "s/from '(.*)/from\n'\1/"</LI-CODE> Tue, 06 Feb 2024 15:27:14 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676752#M231435 richgalloway 2024-02-06T15:27:14Z https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676929#M231486 <P>Alternatively, if ServiceNow accepts literal newline, you can just insert newline</P><LI-CODE lang="markup">| eval summary = replace(summary, " from ", " from ")</LI-CODE> Thu, 08 Feb 2024 05:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676929#M231486 yuanliu 2024-02-08T05:04:40Z https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676991#M231502 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; It worked, thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Also, could you please explain it to me, or is there any docs I may refer to?</P> Thu, 08 Feb 2024 18:24:32 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676991#M231502 man03359 2024-02-08T18:24:32Z https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676994#M231504 <P>The <FONT face="courier new,courier">rex</FONT> command can either extract fields from an event or replace text in an event.&nbsp; In this case, <FONT face="courier new,courier">mode=sed</FONT> tells it to replace text.&nbsp; The <FONT face="courier new,courier">field=summary</FONT> option restricts the command to the contents of the summary field.</P><P>The quoted string is the sed command to execute.&nbsp; The 's' represents the substitute command.&nbsp; The part after the first slash is a regular expression.&nbsp; It says to look for the string "<FONT face="courier new,courier">from '</FONT>" followed by any number of additional characters (.*).&nbsp; The parentheses create a group we'll refer back to later.&nbsp; The part after the next slash is the replacement text.&nbsp; It puts the "from" back, adds a newline character (\n), then adds the remainder of the original text (the group from part 1).</P><P>To read more about rex, see the Search Reference manual.&nbsp; <A href="https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Rex" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Rex</A></P> Thu, 08 Feb 2024 18:40:18 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-to-break-a-line-in-search-so-that-it-breaks-into-two/m-p/676994#M231504 richgalloway 2024-02-08T18:40:18Z