Solved: Line breaks being removed from raw data in email a...

nvonkorff · ‎05-28-2014

Hi all,

I have tried modifying the scheduled alert email actions to use raw and table format for the emailed alert, but both seem to strip out all line breaks from the original _raw field, meaning it is far more difficult to read long, multiline events with deliberate line breaking for legibility.

Is there any way to force the emailed alerts to keep the original line breaking? Or any way to make the 'table' command keep the original line breaks?

Cheers,
Nick v K

nvonkorff · ‎05-03-2015

OK. I think I figured it out. Find your saved "Alert" search in savedsearches.conf

Modify this line:
from:
action.email.format = raw
to:
action.email.format = text

I don't think that there is any way to do this from the user interface. The only options are "Table, Raw or CSV" and none of these seem to retain the original line breaks. My search includes the following at the end:

| fields + _time host _raw

I now have properly formatted (including original line breaks) alerts being sent by email. Yay!!!

View solution in original post

nvonkorff · ‎05-03-2015

OK. I think I figured it out. Find your saved "Alert" search in savedsearches.conf

Modify this line:
from:
action.email.format = raw
to:
action.email.format = text

I don't think that there is any way to do this from the user interface. The only options are "Table, Raw or CSV" and none of these seem to retain the original line breaks. My search includes the following at the end:

| fields + _time host _raw

I now have properly formatted (including original line breaks) alerts being sent by email. Yay!!!

devin_stonecyph · ‎05-05-2015

This didn't work for me. In fact, I didn't even have an action.email.format line, and couldn't find it in the docs. What version are you running? And would you mind sharing your search and the rest of that alert's configs?

nvonkorff · ‎05-24-2015

Hi Devin,

Running Splunk 6.2.0.

Here is the entire block of the search in question:

[Sybase Deadlocks - Alert]
action.email = 1
action.email.format = text
action.email.inline = 1
action.email.sendresults = 1
action.email.to = joe@example.com
alert.digest_mode = True
alert.severity = 4
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=sybase sourcetype="sybasease_errorlog" deadlock | transaction source startswith="Deadlock Id * detected" endswith="End of deadlock information" | fields + _time host _raw
vsid = *:4zdfqaho

ifightcrime · ‎02-18-2015

Having the same problem. What happened? The alert emails used to look great!!

maimonoded · ‎01-27-2015

anyone have a solution/workaround for this issue?

DavidGuarneri · ‎08-19-2014

We are having the same issue. This did not appear to be happening on the email alert table _raw output before the upgrade to 6.1 .

Line breaks being removed from raw data in email alerts after upgrade to 6.1

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation