Splunk Search

Add Line Breaks with Eval

gcoles
Communicator

This might be a silly question, but has anyone figured out how to add line breaks to text that has been evaluated with eval? I'm looking to do something like what you get if you pipe to stats with a values(fieldName) aggregator, where each value of the field is listed, line by line, as part of a single event in a table.

I have a multi-valued field that contains many long text strings, I'm reporting on the permutations that exist in the text strings, and want to do something like this:

mysearch | eval p=mvjoin(myMvField,"<NEWLINE>") | stats dc(p) AS "Permutation Count" values(p) AS "Permutations"

The above works perfectly if I use a delimiter such as a space character or " , ", but I really want to have a newline there. I've tried the old standby, \n, as well as html <br />, but that is interpreted literally. Unfortunately line break and newline are hot terms on the splunk site when discussing inputs, it seems that any documentation related to search is lost in the haystack (I need a 'rarest' on the search screen) 😉

1 Solution

Ayn
Legend

Adding a linebreak is in itself not too hard. mvjoin with some unique delimiter, then replace that delimiter with a newline using rex.

... | eval myfield=mvjoin(myfield,",") | rex mode=sed field=myfield "s/,/\n/g"

The problem then lies with that the table module used by the main search view will make sure that field contents will be kept in one single line. stats values solves it by adding div tags in its output, but that's no option for a user in the search app because things like tags will be replaced with their HTML entity counterparts instead.

What you would need to do in order to actually have the table show the newlines is to write your own custom CSS that the search app's table then uses. If that's of interest to you, I could write more about how to achieve that.

View solution in original post

woodcock
Esteemed Legend

It can be natively; just split the line literally like this:

| makeresults
| eval raw="foo bar bat"
| makemv raw
| eval raw=mvjoin(raw, "
")

Also, if you really need it to DISPLAY as newlines, then see this Q&A:
https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html

ben_leung
Builder

Maybe not use eval?
makemv delim=“ " mv

create some data

index=_internal | head 10 | table _time | eval mv="value1 value2" | table _time, mv | collect index=summary

see how its multivalue?

index=summary | head 20 | table _time, mv 

now break them

index=summary | head 20 | table _time, mv | makemv delim=“ " mv

marrette
Path Finder

Thanks @ben_leung this is a fantastic way of adding line breaks to data!

0 Karma

cmulkey2
Explorer

I know this is old, but I needed it today.
Found another way that forces newlines for multivalue fields using the mvindex() function. My use case is that I needed the newline to be formatted properly when exporting the results to csv and this worked:

... | eval myfield = mvindex(myfield, 0, -1)

woodcock
Esteemed Legend

That doesn't appear to do anything all. Adding | eval count=mvcount(myfield) returns a number>1 so it is still multi-valued.

Ayn
Legend

Adding a linebreak is in itself not too hard. mvjoin with some unique delimiter, then replace that delimiter with a newline using rex.

... | eval myfield=mvjoin(myfield,",") | rex mode=sed field=myfield "s/,/\n/g"

The problem then lies with that the table module used by the main search view will make sure that field contents will be kept in one single line. stats values solves it by adding div tags in its output, but that's no option for a user in the search app because things like tags will be replaced with their HTML entity counterparts instead.

What you would need to do in order to actually have the table show the newlines is to write your own custom CSS that the search app's table then uses. If that's of interest to you, I could write more about how to achieve that.

woodcock
Esteemed Legend

jkst1972
Explorer

Did you find a solution to your issue with line break?

0 Karma

gcoles
Communicator

I did write my own 'printf' splunk command that let me inject newlines at will, by as Ayn noted, I would then need css modifcations or some other magic to make it work in the HTML UI, which seemed cumbersome. Rather than bending Splunk to my will, but I found that I could get what I was looking for by altering the search to split by permutations (one event returned per permutation) instead of trying to list out all the permutations with line breaks inside of a single event.

0 Karma

jumper4000
Explorer

did you ever figure this out?

0 Karma

Jason
Motivator

This might be a silly answer, but I seem to remember this working in one odd case I was working on:

Have you tried putting a literal newline in your search? e.g. searching for

mysearch | eval p=mvjoin(myMvField,"
") | stats dc(p) AS "Permutation Count" values(p) AS "Permutations"

In the search bar? I would be interested to hear if this works when saved, and if so, what it actually puts in the appropriate savedsearches.conf on the back end.

gcoles
Communicator

Hey Jason, that was a good idea! Unfortunately it doesn't work, I get a parser error:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

I'm going to ask contacts at splunk about this, and hopefully I can post the answer here later!

Thanks!

0 Karma

chksi
New Member
| eval FieldName=split(FieldName," ")
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...