Getting Data In

What is the best practice for handling CRLF character replacement?

JonSloan
New Member

We have 2 large datafeeds into Splunk, email and SQL Trace outputs, but the CRLF characters in both feeds are creating more than 3 times as many Events as there are actual records (individual emails or trace records). What is the best practice for this? Firstly - to preserve the line break, but not confuse Splunk. And secondly, how do we deal with the already existing in Splunk?

Thank you very much in advance!

Jon
NYC

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi Jon, you'll want to configure props.conf for that sourcetype to linebreak differently than the default (which is new-line)

Concerning the already existing events, I believe there isn't a whole lot of opportunity to alter them. It's recommended that you use a test index until you have the sourcetype's configured as you want them.

0 Karma

JonSloan
New Member

Hi Muebel,

Thank you very much for your answer! Since this is only occurring within one source column, would you also recommend simply replacing the CRLF characters with the HTML tag "

" before sending Splunk the data so the event parser will work as expected, but we will also still be able to see the line-breaks when viewing the data?

Thanks again,

Jon

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...