Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I remove extra newlines from my csv?

kinkdotcom
New Member
‎02-07-2012 11:40 AM

I have an alert set up that surfaces suspicious activity by ip addresses which triggers an extremely simple shell script that feeds ips to a separate webapp.

The _si field has a newline in it, which turns every other line in the script into garbage data. Is there any way to remove the newline or exclude some or all of the meta data from the csv output? I'd like to keep this as simple as possible; worst case scenario I can call another script, but I'd rather reduce the number of moving parts.

Tags (1)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎02-21-2012 11:24 AM

Hi Kinkdotcom,

There are a couple of different workarounds we can use that mostly deal with re-formatting the _si field.

For example you can include the following in the scheduled search to change _si="hostname\r\nindexname" to _si="hostname, indexname":

| rex field=_si "(?<siHostName>.*?)[\r\n](?<siIndexName>.*?)" | eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

Unfortunately, there is not really a good way to do this using props and transforms as we can not concatenate fields at that point. However, if you wanted to you could run the regex extracts with a props.conf line in the appropriate stanza and only use one eval in your search to provide the concatenation. This would look sort of like this;

#in props.conf
[<source|sourcetype|host>]
EXTRACT-myNew_si = (?<siHostName>.*?)[\r\n](?<siIndexName>.*?) in _si

then your search just needs to include the following eval;

| eval _si=if(siIndexName!='', siHostName.", ".siIndexName, siHostName)

This will help to shorten your search string a bit while maintaining the same fundamental extractions.

Finally, the reason for using the eval if() is to make sure not to add the comma separation when we have a blank index name value as this gets saved back to the _si field which is contained within $SPLUNK_ARG_8.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...