Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best practice for handling CRLF character replacement?

JonSloan
New Member
‎03-05-2015 08:22 AM

We have 2 large datafeeds into Splunk, email and SQL Trace outputs, but the CRLF characters in both feeds are creating more than 3 times as many Events as there are actual records (individual emails or trace records). What is the best practice for this? Firstly - to preserve the line break, but not confuse Splunk. And secondly, how do we deal with the already existing in Splunk?

Thank you very much in advance!

Jon
NYC

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 06:47 PM

Hi Jon, you'll want to configure props.conf for that sourcetype to linebreak differently than the default (which is new-line)

Concerning the already existing events, I believe there isn't a whole lot of opportunity to alter them. It's recommended that you use a test index until you have the sourcetype's configured as you want them.

0 Karma
Reply

JonSloan
New Member
‎03-09-2015 01:21 PM

Hi Muebel,

Thank you very much for your answer! Since this is only occurring within one source column, would you also recommend simply replacing the CRLF characters with the HTML tag "

" before sending Splunk the data so the event parser will work as expected, but we will also still be able to see the line-breaks when viewing the data?

Thanks again,

Jon

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...