Splunk Search

What character is Splunk using for line breaks in a multiline event?

Communicator

I have inputs configured to allow for multiline events, representing groups of log lines. I'm then using it to build a very simple search:

eventtype=mlc sourcetype=log4j host=x | table _time message log_level

I would like to know what happens to the data when it gets displayed in a table - it seems that the line breaks are not preserved, but are converted into /s. Is this correct? Is there any way I can preserve the line breaks? Or even just see the literal /n character, or whatever it is.

Thanks,
John Raftery

0 Karma
1 Solution

Esteemed Legend

You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.

Do it like this:

... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField

View solution in original post

Esteemed Legend

You are correct; as far as I know, linebreaks cannot be preserved. HOWEVER, you can convert your single-value field containing line-breaks to a multi-value field where each value begins/ends at a line break and the order is preserved.

Do it like this:

... | rex max_match=0 field=multiLineField "(?ms)^\s*(?<multiValueField>[^\r\n]+)\s*$"
| eval multiLineField=multiValueField
| table host multiLineField

View solution in original post

Communicator

Ah, that's working now. Thanks very much! I'm wondering, when you click on one of the lines in the multiValueField (when it's displayed in a table), is it possible to get just that line in a token? I would normally put something like this in the drilldown, but it captures the whole MV field:

          <set token="message">$row.message$</set>
0 Karma

Esteemed Legend

I'm an engineer, not a magician! Seriously, though, I suspect it is possible but don't do much custom drill-down. I would click Accept on this answer and then post a new question "How can I drilldown on one value of a multiValue field?"

0 Karma

Communicator

Fair enough. Thanks again.

0 Karma

SplunkTrust
SplunkTrust

Hi John, the table command doesn't offer anything in the way of formatting. Although the normal event viewer displays multiline events properly, once piping to table, the table command displays the fields without line breaks.

Please let me know if this answers your question 😄

0 Karma

Communicator

Thanks. What I'd like to know is if there is a way to retain the line breaks. Is the answer is no (and based on your response it probably is), then will I be able to use "/n" to search my data? EG:

... | search message = "First line\nSecond line"
0 Karma

Communicator

Sorry if my question is poorly worded - not easy to explain!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!