Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Removing newline and carriage return

avanijjain16
Explorer
‎09-24-2020 11:40 AM

Hi, 

I am new to splunk. I am trying to make my logging message format good. 

I have log message with newline or carriage return not sure which one but when I try to replace it using 

rex field=message mode=sed "s/^[\r\n]+//g" it does not work, Any suggestions? I am not sure if there are any spaces or white spaces but I also tried with s/^/S*[\r\n]+//g

 

Message:

Line1

Line2

Line3

Expected :


Line1
Line2
Line3

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2020 11:58 AM

Your sed matches to [\r\n] at the beginning of the field - could it be at the end? Also, are these 3 instance of the message field or multi-line with the same message instance?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...