topic Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1 in Splunk Search

Line breaks being removed from raw data in email alerts after upgrade to 6.1

nvonkorff — Thu, 29 May 2014 00:33:47 GMT

Hi all,

I have tried modifying the scheduled alert email actions to use raw and table format for the emailed alert, but both seem to strip out all line breaks from the original _raw field, meaning it is far more difficult to read long, multiline events with deliberate line breaking for legibility.

Is there any way to force the emailed alerts to keep the original line breaking? Or any way to make the 'table' command keep the original line breaks?

Cheers,
Nick v K

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

DavidGuarneri — Tue, 19 Aug 2014 17:16:55 GMT

We are having the same issue. This did not appear to be happening on the email alert table _raw output before the upgrade to 6.1 .

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

maimonoded — Tue, 27 Jan 2015 12:49:20 GMT

anyone have a solution/workaround for this issue?

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

ifightcrime — Wed, 18 Feb 2015 23:33:59 GMT

Having the same problem. What happened? The alert emails used to look great!!

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

nvonkorff — Mon, 04 May 2015 04:51:00 GMT

OK. I think I figured it out. Find your saved "Alert" search in savedsearches.conf

Modify this line:
from:
action.email.format = raw
to:
action.email.format = text

I don't think that there is any way to do this from the user interface. The only options are "Table, Raw or CSV" and none of these seem to retain the original line breaks. My search includes the following at the end:

| fields + _time host _raw

I now have properly formatted (including original line breaks) alerts being sent by email. Yay!!!

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

devin_stonecyph — Tue, 05 May 2015 17:00:22 GMT

This didn't work for me. In fact, I didn't even have an action.email.format line, and couldn't find it in the docs. What version are you running? And would you mind sharing your search and the rest of that alert's configs?

Re: Line breaks being removed from raw data in email alerts after upgrade to 6.1

nvonkorff — Sun, 24 May 2015 22:44:39 GMT

Hi Devin,

Running Splunk 6.2.0.

Here is the entire block of the search in question:

[Sybase Deadlocks - Alert]
action.email = 1
action.email.format = text
action.email.inline = 1
action.email.sendresults = 1
action.email.to = joe@example.com
alert.digest_mode = True
alert.severity = 4
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=sybase sourcetype="sybasease_errorlog" deadlock | transaction source startswith="Deadlock Id * detected" endswith="End of deadlock information" | fields + _time host _raw
vsid = *:4zdfqaho