Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why exporting an event to a file removes carriage return characters (0x0D)?

hannus
Explorer
‎09-16-2016 05:11 AM

When I import some text with carriage return and line feed characters, I'm able to get data indexed in correct format. But when I export that same data, I get the following effect:

CR -> CR (ok)
LF -> LF (ok)
LF+CR -> LF+CR (ok) but
CR+LF -> LF (fail)

Why does Splunk remove the CR in CR+LF during export?

Reply

hannus
Explorer
‎09-19-2016 01:02 AM

No, not quite yet. I expect it not to work. But I will test it after learning how to do that...

I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct.
I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works.
Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work.

My search command:
index=test | REX mode=SED "s/\r\n/?????/g"
The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-19-2016 05:03 AM

CR = \r LF = \n

sometimes \R is the similar to \r but i believe its shorthand for (\r OR \n OR \r\n)

0 Karma
Reply

ddrillic
Ultra Champion
‎09-18-2016 01:36 PM

A similar issue at Why are new events resulting from mvexpand picking up special characters when exporting to CSV and h...

Solved via -

alt text

Preview file
35 KB
0 Karma
Reply

hannus
Explorer
‎09-19-2016 12:59 AM

That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-18-2016 06:19 PM

So maybe try 

 | fields _raw | table _raw
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-18-2016 10:50 AM

Have you tried exporting via rest?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...