topic Re: What character is Splunk using for line breaks in a multiline event? in Splunk Search

What character is Splunk using for line breaks in a multiline event?

johnraftery — Tue, 01 Mar 2016 15:20:31 GMT

I have inputs configured to allow for multiline events, representing groups of log lines. I'm then using it to build a very simple search:

eventtype=mlc sourcetype=log4j host=x | table _time message log_level

I would like to know what happens to the data when it gets displayed in a table - it seems that the line breaks are not preserved, but are converted into /s. Is this correct? Is there any way I can preserve the line breaks? Or even just see the literal /n character, or whatever it is.

Thanks,
John Raftery

Re: What character is Splunk using for line breaks in a multiline event?

johnraftery — Tue, 01 Mar 2016 15:21:16 GMT

Sorry if my question is poorly worded - not easy to explain!

Re: What character is Splunk using for line breaks in a multiline event?

muebel — Tue, 01 Mar 2016 16:10:04 GMT

Hi John, the table command doesn't offer anything in the way of formatting. Although the normal event viewer displays multiline events properly, once piping to table, the table command displays the fields without line breaks.

Please let me know if this answers your question 😄

Re: What character is Splunk using for line breaks in a multiline event?

johnraftery — Tue, 01 Mar 2016 16:17:40 GMT

Thanks. What I'd like to know is if there is a way to retain the line breaks. Is the answer is no (and based on your response it probably is), then will I be able to use "/n" to search my data? EG:

... | search message = "First line\nSecond line"

Re: What character is Splunk using for line breaks in a multiline event?

woodcock — Tue, 01 Mar 2016 16:53:38 GMT

You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.

Do it like this:

... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField

Re: What character is Splunk using for line breaks in a multiline event?

johnraftery — Thu, 03 Mar 2016 10:13:06 GMT

Ah, that's working now. Thanks very much! I'm wondering, when you click on one of the lines in the multiValueField (when it's displayed in a table), is it possible to get just that line in a token? I would normally put something like this in the drilldown, but it captures the whole MV field:

          <set token="message">$row.message$</set>

Re: What character is Splunk using for line breaks in a multiline event?

woodcock — Fri, 04 Mar 2016 00:12:06 GMT

I'm an engineer, not a magician! Seriously, though, I suspect it is possible but don't do much custom drill-down. I would click Accept on this answer and then post a new question "How can I drilldown on one value of a multiValue field?"

Re: What character is Splunk using for line breaks in a multiline event?

johnraftery — Fri, 04 Mar 2016 09:36:28 GMT

Fair enough. Thanks again.