I'm importing messages that are in xml format and I'm extracting 25 fields during indexing. I verified from the messaging system that it is sending the CR character. Everything else seems to work fine. I managed to get rid of the jms message header with the fresh version of the JMS Messaging Modular Input (v.1.5.1). That was good! inputs.conf (in /apps/launcher/local): [jms://queue/:QSPLUNKIN_Dest] browse_frequency = 30 browse_mode = all browse_queue_only = 0 durable = 0 hec_batch_mode = 0 hec_https = 0 index = jms index_message_header = 0 index_message_properties = 0 init_mode = jndi jms_connection_factory_name = SplunkConnectionFactory jndi_initialcontext_factory = com.sun.jndi.fscontext.RefFSContextFactory jndi_provider_url = file:/C:/MQJNDI output_type = stdout sourcetype = ME120_st_spec strip_newlines = 0 disabled = 0 message_handler_impl = com.splunk.modinput.jms.custom.handler.BodyOnlyMessageHandler props.conf (in apps/jms_ta/local): [ME120_st_spec] NO_BINARY_CHECK = true category = Custom description = My comment here pulldown_type = 1 disabled = false MAX_TIMESTAMP_LOOKAHEAD = 19 TIME_FORMAT = %Y-%m-%dT%H:%M:%S TIME_PREFIX = < MonitoringTime > ((<-- had to add spaces here to show the text)) MAX_EVENTS = 50000 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^ < ? xml version ((<-- also had to add spaces here to show the text)) TRUNCATE = 60000 TRANSFORMS-me120 = Field1,Field2,Field3,Field4,...,Field24,Field25 LINE_BREAKER = ((*FAIL)) transforms.conf (in apps/jms_ta/local): [Field1] REGEX = ((?<=Field1>).*?(?=< / Field1>)) ((<-- again more spaces here to show text)) FORMAT = Field1::$1 WRITE_META = true [Field2] REGEX = ((?<=Field2>).*?(?=< / Field2>)) ((<-- and again more spaces here to show text)) FORMAT = Field2::$1 WRITE_META = true ...[Field25]... Thanks for your help! ... View more

No, not quite yet. I expect it not to work. But I will test it after learning how to do that... I'm working on a workaround. With that I'm quite close but I don't know if this can be actually done. My idea is to replace all CRLF's with CRCRLF in the search so the export would come out correct. I have tested this by importing data in Splunk with "wrong" format, like CRCRLF. When I export this it comes out CRLF. Nice, this kind of works. Now I'm trying to figure out how I can get the REX MODE=SED to work but I just don't know how to replace the "\r" and "\n" correctly. Simple "\r\r\n" won't work. My search command: index=test | REX mode=SED "s/\r\n/?????/g" The first part (\r\n) works, it finds the CRLF's. But I just don't know how to format the ????? part. ... View more

That didn't work. In that example mentioned in the link he was trying to remove those characters. I'm trying NOT to remove, but to keep the characters. ... View more

I currently evaluating the product with no paid license so I guess I'm not in a position where I could submit a ticket... ... View more

That LINE_BREAKER = ((*FAIL)) seems to do the trick. Splunk now indexes the imported file correctly (as seen from the "0" file in "rawdata" folder). I suppose you don't know how to export data exactly how it is in the index file...? My export tests (from GUI) show: CR -> CR (ok) LF -> LF (ok) LF+CR -> LF+CR (ok) BUT CR+LF -> LF (fail) I need to do some more digging on exporting data... I suppose I will create whole another question for this. Thank you very much for your help on this! ... View more

While working on this problem I'm using "Add Data" wizard from the main UI. Using SE version 6.4.1. Props.conf: [A_MyTestSourcetype] NO_BINARY_CHECK = false category = Custom description = Testing CR pulldown_type = 1 disabled = false SHOULD_LINEMERGE = false LINE_BREAKER=(ABabABab) TRUNCATE = 9999999 File (for example): 111 cr 11111 crlf 22 cr 222222 crlf 33333333 crlf 444 lf 44444 In this best case CR inside the line are kept but at the end they are removed. Thanks for taking time to help! ... View more

I just can't make this work. I get the meaning of LINE_BREAKER and the default value. It is clearly meant for log files where every line ends with some combination of CR and LF. And it removes them so that only the real data is kept, not the end-of-line characters. Well I thought that if I add some random string to LINE_BREAKER it would not find it and it keeps the CR and LF and not try to replace them. But no. It decides to change them anyway. So I guess there is something (actually alot since I'm a newbie) that I'm not understanding. I wonder if anyone could solve this. ... View more

And while this is out in the open, why Splunk adds newline (0x0a) character in the end of the export (at least from GUI). I'd need to get data in and out unchanged! ... View more