When I import some text with carriage return and line feed characters, I'm able to get data indexed in correct format. But when I export that same data, I get the following effect:
CR -> CR (ok)
LF -> LF (ok)
LF+CR -> LF+CR (ok) but
CR+LF -> LF (fail)
Why does Splunk remove the CR in CR+LF during export?
That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters.
No, not quite yet. I expect it not to work. But I will test it after learning how to do that...
I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct.
I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works.
Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work.
My search command:
index=test | REX mode=SED "s/\r\n/?????/g"
The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part.