How to add spacing between multiple eventdata lines of a transaction?
Say, for an access_combined type of log, I group by SessionId for creating transaction paragraphs.
Some paragraphs have as many as 12 lines in them, all displayed one after another (a bit cluttered look).  It would be nice to be able to append "\n\n" (2 spacing newlines) to the _raw to space out the display of these multiple eventdata lines of the transaction results. 
I tried with: 
strcat "\n" _raw "\n" mynewrawline
but the strcat does not interpret "\n" properly.
Any suggestions would be appreciated.
Second related question is: I also tried piping to table and showing the table of all fields.
The spacing looks a bit better, but the problem that then arises is:  The fields with the common values are shown only once in the transaction paragraph (the cell below the present row remains empty).  The users want to see the dense-table: with all the rows completely filled with all the values of all the fields of every eventdata line gathered in the transaction paragraph in the Results area (and not the sparse table, where duplicate field values are omitted).
Any help with this will be greatly appreciated. Thanks.
I have a XML sourcertype that have multi-values dair across different fieldnames:
e.g. starttime, stoptime, instruction
My problem is that the "instruction" field is really really long.
When I do a table starttime, stoptime, instruction, the looks mis-align.
e.g.
starttime  stoptime  instruction
0900       0935      First instruction is to 
0930       0940      move the cargo to the east
0940       1020      side of the dock. 
                     Second instruction appears
                     not align to the 0930 starttime.
                     Third instruction really needs to
                     the 0940 line.
I was hoping I can put each instruction align to the correct starttime.
Any help much appreciated!
Kind Regards,
Joshie
 
		
		
		
		
		
	
			
		
		
			
					
		Part 1: If you're using transaction with Splunk 4.3 or later, you can specify mvraw=t delim="\n\n". 
(In my case, on a mac, I had to hit option+shift+return to get the \n recognized)
Part 2: Again with transaction, try mvlist=t. With stats try list()
Thanks for the answer on this one! I'm also on a Mac and pounded against this for some time, In the end I actually had to save the transaction command in my macro like this:
|transaction delim=
 src_host, 
with the actual line break breaking the macro.  I was never able to get delim="\n" to work, it always showed up in email as 
You can't use strcat like that, because even if it worked it would just add newlines before and after all the lines in the transaction. Instead you could use the rex command in sed mode to replace any \n character with two \n's. The Splunk web ui tries to be a bit "smart" about the newlines though, so if you just give it two newlines it will not create an extra line unless there's any text in it. So, the trick to avoid that is to add a space between the newlines.
... | rex mode=sed field=_raw "s/\n/\n \n/g"
As for your second question, I don't completely get the desired output, but you might want to look into using stats values and create a table using that.
Thank you Ayn for the rex-sed trick above. For the second-part, I'll investigate further. (Basically, the transaction table-display needs to show all rows, all column-headers and all values in every cell, even if some of them are duplicate/repeatative. But this does not happen if you pipe everything out to the final table segment. It "smartens" out the display, by showing spaces for duplicate-values -- and this is deemed undesirable by the app users -- they want a dense-table-output showing everything of all grouped events).
