Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I Remove linebreak characters from nbe files

I-Man
Communicator
‎07-13-2011 01:43 PM

Hello all,

We have Nessus running on a Linux server which also has a Splunk Heavy Forwarder 4.1.8. We have the Nessus reports going to a certain directory which Splunk Monitors locally and sends to our Indexer. The results are in this format when they reach the indexer:

results|domain.com|nessus.domain.com|general/tcp|19506|Security Note|\nSynopsis :\n\nInformation about the Nessus scan.\n\nDescription :\n\nThis script displays, for each tested host, information about the scan itself:\n\n - The version of the plugin set\n - The type of plugin feed (HomeFeed or ProfessionalFeed)\n - The version of the Nessus Engine\n - The port scanner(s) used\n - The port range scanned\n - The date of the scan\n - The duration of the scan\n - The number of hosts scanned in parallel\n - The number of checks done in parallel\n\nSolution :\n\nn/a\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nInformation about this scan : \n\nNessus version...

I would like to remove the line break characters (\n AND \n\n) so i can create fields with for Description and Synopsis. I'm thinking this will involve a props and maybe a transform however I haven't been able to find any documentation on how to do this. Thanks in advance for any help!

I-Man

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-13-2011 06:27 PM

Are these actual line break characters, or are they literally a "\" followed by an "n" ? I have never seen Splunk fail to properly consume and deal with actual newlines (CR+LF or LF alone). My guess is these are real backslashes followed by n's. You could check the raw files nessus makes before Splunk consumes them, just to make sure.

If that is what they are, then you can easily use SEDCMD to fix up the input. I think something like this would work in props.conf.

[mysourcetype]
SEDCMD-backslash_n = s/\\n//g

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-13-2011 06:27 PM

Are these actual line break characters, or are they literally a "\" followed by an "n" ? I have never seen Splunk fail to properly consume and deal with actual newlines (CR+LF or LF alone). My guess is these are real backslashes followed by n's. You could check the raw files nessus makes before Splunk consumes them, just to make sure.

If that is what they are, then you can easily use SEDCMD to fix up the input. I think something like this would work in props.conf.

[mysourcetype]
SEDCMD-backslash_n = s/\\n//g
Reply
Solved! Jump to solution

I-Man
Communicator
‎07-14-2011 06:14 AM

Yes, that is exactly how the nbe logs look prior to being splunked by splunk. Furthermore, your SEDCMD script removed the literal \n perfectly! Thanks a million!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...