Getting Data In

How to remove newline characters that show up in alert CSV but not search?

jdoll1
Explorer

I have an alert that pulls back any updated dashboards every day and sends me an email with the attached CSV file. The XML of the dashboard is included in the results so that I can drop it into TFS.

When I run the search manually and export the results as CSV, it works as intended, but when i get the CSV file in my inbox every line of the XML has a \n character.

I'm working on trying to automate and use this for source control, so ideally i'd like the output to just have the raw XML that I can just use TFS api/executables to drop straight into the repository.

Here is my search, I believe it should work for any Splunk instance:

index=_internal sourcetype=splunkd_ui_access method=POST
| rex field=uri ".*(?<URI>\/servicesNS.*)"
| where like(URI,"%"."data/ui/views/"."%")
| join URI 
    [| rest /servicesNS/-/-/data/ui/views 
| search isDashboard=1 eai:acl.sharing="global"
| eval yesterday=strftime(relative_time(now(), "-2d"), "%Y-%m-%d")
| rex field=id "https:\/\/.*(?<URI>\/servicesNS.*)"
| where updated > yesterday]
| rename eai:appName as App, eai:data as XML
| eval filename=App."_".label
| dedup filename,updated
| table filename, updated, user, XML
| sort +updated

ankithreddy777
Contributor

Have you found any solution for above mentioned Issue. I am facing the similar issue

0 Karma

jdoll1
Explorer

I ended up using a powershell script to "clean" the data once its been delivered...so, no, not really.

0 Karma

valiquet
Contributor

You must not have the same char encoding as Splunk (UTF8 vs ASCII, etc Linux Windows)

You could try |rex mode=sed "s/\n//g" to remove \n but if might not work every time.

Change encoding in your mail client or in props.conf

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...