Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best practice for handling CRLF character replacement?

JonSloan
New Member
‎03-05-2015 08:22 AM

We have 2 large datafeeds into Splunk, email and SQL Trace outputs, but the CRLF characters in both feeds are creating more than 3 times as many Events as there are actual records (individual emails or trace records). What is the best practice for this? Firstly - to preserve the line break, but not confuse Splunk. And secondly, how do we deal with the already existing in Splunk?

Thank you very much in advance!

Jon
NYC

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-06-2015 06:47 PM

Hi Jon, you'll want to configure props.conf for that sourcetype to linebreak differently than the default (which is new-line)

Concerning the already existing events, I believe there isn't a whole lot of opportunity to alter them. It's recommended that you use a test index until you have the sourcetype's configured as you want them.

0 Karma
Reply

JonSloan
New Member
‎03-09-2015 01:21 PM

Hi Muebel,

Thank you very much for your answer! Since this is only occurring within one source column, would you also recommend simply replacing the CRLF characters with the HTML tag "

" before sending Splunk the data so the event parser will work as expected, but we will also still be able to see the line-breaks when viewing the data?

Thanks again,

Jon

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...