How to insert newline to Splunk Alert? This blogpost is a quick one, i couldn’t find answear to do it, so it works all of the times i tried. I have worked with several companies that use Splunk for their time series data and monitoring stack. I don’t usually write all of the queries, but I work with people who do. I have seen engineers struggle with this seemingly simple thing, often because Splunk is clunky and the documentation is lacking.
If you want to introduce a new row into some field or set of data, change your query to include
eval, making sure you keep the brackets. Change this to suit your needs.
eval field_i_want_to_change=(field_i_want_to_change . " ")
Is it nice? No, it is hacky.
Does it work? Yes, whether the break is LF or CRLF.
What doesn’t work in most cases
I have seen people use rex with sed mode and fail to make it work.
| rex field=body mode=sed "s/\\n/,\n/g" | ...;
I have seen people do trying to use makemv and fail.