Re: Why exporting an event to a file removes carri...

hannus · ‎09-16-2016

When I import some text with carriage return and line feed characters, I'm able to get data indexed in correct format. But when I export that same data, I get the following effect:

CR -> CR (ok)
LF -> LF (ok)
LF+CR -> LF+CR (ok) but
CR+LF -> LF (fail)

Why does Splunk remove the CR in CR+LF during export?

hannus · ‎09-19-2016

No, not quite yet. I expect it not to work. But I will test it after learning how to do that...

I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct.
I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works.
Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work.

My search command:
index=test | REX mode=SED "s/\r\n/?????/g"
The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part.

jkat54 · ‎09-19-2016

CR = \r LF = \n

sometimes \R is the similar to \r but i believe its shorthand for (\r OR \n OR \r\n)

ddrillic · ‎09-18-2016

A similar issue at Why are new events resulting from mvexpand picking up special characters when exporting to CSV and h...

Solved via -

hannus · ‎09-19-2016

That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters.

jkat54 · ‎09-18-2016

So maybe try

 | fields _raw | table _raw

jkat54 · ‎09-18-2016

Have you tried exporting via rest?

Why exporting an event to a file removes carriage return characters (0x0D)?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms