Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Splunk not maintaining line breaks as in the original log?

spsrasru
Path Finder
‎08-18-2014 01:56 PM

splunk enterprise 6.1.1

In search view on the Splunk search head web front end, as well as in table view in the email alerts, Splunk is not maintaining line breaks as in the original log.

Tags (2)
Reply

edoardo_vicendo
Builder
‎03-12-2019 09:03 AM

Ciao,

Please check my answer reported here:

https://answers.splunk.com/answers/494716/how-to-split-a-multi-line-raw-to-a-multivalue-with.html?ch...

basically you can do in this way:

your base search | rex max_match=0 "^(?<lines>.+)\n+" | eval raw2=mvindex(lines,0,-1) | table raw2

Best Regards,
Edoardo

0 Karma
Reply

maimonoded
New Member
‎01-27-2015 04:49 AM

anyone have a solution/workaround for this issue?

0 Karma
Reply

adamw
Communicator
‎10-14-2014 09:46 AM

Other users are reporting the same thing since the upgrade to 6.1:
http://answers.splunk.com/answers/138053/line-breaks-being-removed-from-raw-data-in-email-alerts-aft...

Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-14-2014 09:54 AM

@adamw the link points to this question itself. This said, I have seen this before 6, too. Does it have to do with overload? I am under the impression that this tends to happen when volume is extremely high, although I do not have direct measurement.

0 Karma
Reply

adamw
Communicator
‎10-14-2014 09:58 AM

@yuanliu sorry, copy and paste fail. Updated the link to the other question.

The alert I see it on is one where the output in each _raw cell is around 20 lines. Under 6.0 it showed the _raw field in the table with the proper line breaks, but since our 6.1 upgrade, it ignores newlines in _raw and mashes all of the log data into one text blob.

It still looks properly line break'ed in the search UI.

0 Karma
Reply

strive
Influencer
‎08-18-2014 02:17 PM

Can you post the original log samples and also explain where Splunk is not maintaining line breaks

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...