Reporting
Highlighted

Why exporting an event to a file removes carriage return characters (0x0D)?

Explorer

When I import some text with carriage return and line feed characters, I'm able to get data indexed in correct format. But when I export that same data, I get the following effect:

CR -> CR (ok)
LF -> LF (ok)
LF+CR -> LF+CR (ok) but
CR+LF -> LF (fail)

Why does Splunk remove the CR in CR+LF during export?

Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

SplunkTrust
SplunkTrust

Have you tried exporting via rest?

0 Karma
Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

Ultra Champion
0 Karma
Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

SplunkTrust
SplunkTrust

So maybe try

 | fields _raw | table _raw
0 Karma
Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

Explorer

That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters.

0 Karma
Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

Explorer

No, not quite yet. I expect it not to work. But I will test it after learning how to do that...

I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct.
I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works.
Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work.

My search command:
index=test | REX mode=SED "s/\r\n/?????/g"
The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part.

0 Karma
Highlighted

Re: Why exporting an event to a file removes carriage return characters (0x0D)?

SplunkTrust
SplunkTrust

CR = \r LF = \n

sometimes \R is the similar to \r but i believe its shorthand for (\r OR \n OR \r\n)

0 Karma