This might be a silly question, but has anyone figured out how to add line breaks to text that has been evaluated with eval? I'm looking to do something like what you get if you pipe to stats with a values(fieldName) aggregator, where each value of the field is listed, line by line, as part of a single event in a table.
I have a multi-valued field that contains many long text strings, I'm reporting on the permutations that exist in the text strings, and want to do something like this:
mysearch | eval p=mvjoin(myMvField,"<NEWLINE>") | stats dc(p) AS "Permutation Count" values(p) AS "Permutations"
The above works perfectly if I use a delimiter such as a space character or " , ", but I really want to have a newline there. I've tried the old standby, \n
, as well as html <br />
, but that is interpreted literally. Unfortunately line break and newline are hot terms on the splunk site when discussing inputs, it seems that any documentation related to search is lost in the haystack (I need a 'rarest' on the search screen) 😉
Adding a linebreak is in itself not too hard. mvjoin
with some unique delimiter, then replace that delimiter with a newline using rex
.
... | eval myfield=mvjoin(myfield,",") | rex mode=sed field=myfield "s/,/\n/g"
The problem then lies with that the table module used by the main search view will make sure that field contents will be kept in one single line. stats values
solves it by adding div
tags in its output, but that's no option for a user in the search app because things like tags will be replaced with their HTML entity counterparts instead.
What you would need to do in order to actually have the table show the newlines is to write your own custom CSS that the search app's table then uses. If that's of interest to you, I could write more about how to achieve that.
It can be natively; just split the line literally like this:
| makeresults
| eval raw="foo bar bat"
| makemv raw
| eval raw=mvjoin(raw, "
")
Also, if you really need it to DISPLAY as newlines, then see this Q&A:
https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html
Maybe not use eval?
makemv delim=“ " mv
create some data
index=_internal | head 10 | table _time | eval mv="value1 value2" | table _time, mv | collect index=summary
see how its multivalue?
index=summary | head 20 | table _time, mv
now break them
index=summary | head 20 | table _time, mv | makemv delim=“ " mv
Thanks @ben_leung this is a fantastic way of adding line breaks to data!
I know this is old, but I needed it today.
Found another way that forces newlines for multivalue fields using the mvindex() function. My use case is that I needed the newline to be formatted properly when exporting the results to csv and this worked:
... | eval myfield = mvindex(myfield, 0, -1)
That doesn't appear to do anything all. Adding | eval count=mvcount(myfield)
returns a number>1 so it is still multi-valued.
Adding a linebreak is in itself not too hard. mvjoin
with some unique delimiter, then replace that delimiter with a newline using rex
.
... | eval myfield=mvjoin(myfield,",") | rex mode=sed field=myfield "s/,/\n/g"
The problem then lies with that the table module used by the main search view will make sure that field contents will be kept in one single line. stats values
solves it by adding div
tags in its output, but that's no option for a user in the search app because things like tags will be replaced with their HTML entity counterparts instead.
What you would need to do in order to actually have the table show the newlines is to write your own custom CSS that the search app's table then uses. If that's of interest to you, I could write more about how to achieve that.
To make it display as newlines, see my answer here:
https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html
Did you find a solution to your issue with line break?
I did write my own 'printf' splunk command that let me inject newlines at will, by as Ayn noted, I would then need css modifcations or some other magic to make it work in the HTML UI, which seemed cumbersome. Rather than bending Splunk to my will, but I found that I could get what I was looking for by altering the search to split by permutations (one event returned per permutation) instead of trying to list out all the permutations with line breaks inside of a single event.
If you need this, see here:
https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html
did you ever figure this out?
This might be a silly answer, but I seem to remember this working in one odd case I was working on:
Have you tried putting a literal newline in your search? e.g. searching for
mysearch | eval p=mvjoin(myMvField,"
") | stats dc(p) AS "Permutation Count" values(p) AS "Permutations"
In the search bar? I would be interested to hear if this works when saved, and if so, what it actually puts in the appropriate savedsearches.conf on the back end.
Hey Jason, that was a good idea! Unfortunately it doesn't work, I get a parser error:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
I'm going to ask contacts at splunk about this, and hopefully I can post the answer here later!
Thanks!
| eval FieldName=split(FieldName," ")