Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multiple lines of data into a single individual line in splunk using \n?

Shan
Builder
‎08-23-2021 07:33 AM

As i mentioned below prod column has multiple values and i want to split it based on \n next line command and get the output as mentioned in output image.

Current data:

Shan_0-1629728821294.png

Expected output:

Shan_1-1629728934077.png

Thanks in advance ..

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Shan
Builder
‎08-23-2021 11:26 PM

@ITWhisperer 

Thanks for your input . As i mentioned Split not helped me.
I can able to achieve what i expected with below solution.

| makemv tokenizer="([^\r\n]+)(\r\n)?" Prod
| mvexpand Prod

🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2021 07:43 AM 
| eval Prod=split(Prod,"
")
| mvexpand Prod
Reply
Solved! Jump to solution

Shan
Builder
‎08-23-2021 08:14 AM

@ITWhisperer 

Thanks for your input. But its not working .

Shan_1-1629731597744.png

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2021 08:24 AM

The split has the newline in quotes - hint: use <shift><return> to insert into search

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎08-23-2021 09:12 AM

@ITWhisperer 

Sorry, I'm not able to follow you. Can you please give me an example query..

Thanks in advance ..

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2021 10:29 AM 
| eval Prod=split(Prod,"
")
| mvexpand Prod

If this is not working, can you share your search in the same way i.e. in a code block </>

0 Karma
Reply
Solved! Jump to solution
Solution

Shan
Builder
‎08-23-2021 11:26 PM

@ITWhisperer 

Thanks for your input . As i mentioned Split not helped me.
I can able to achieve what i expected with below solution.

| makemv tokenizer="([^\r\n]+)(\r\n)?" Prod
| mvexpand Prod

🙂

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...