Bernard Pietraga

Newline (line break) in Splunk alerts and output

Newline (line break) in Splunk alerts and output

How to insert newline to Splunk Alert? This blogpost is a quick one, i couldn’t find answear to do it, so it works all of the times i tried. I have worked with several companies that use Splunk for their time series data and monitoring stack. I don’t usually write all of the queries, but I work with people who do. I have seen engineers struggle with this seemingly simple thing, often because Splunk is clunky and the documentation is lacking.

If you want to introduce a new row into some field or set of data, change your query to include eval, making sure you keep the brackets. Change this to suit your needs.

eval field_i_want_to_change=(field_i_want_to_change . "

Is it nice? No, it is hacky.
Does it work? Yes, whether the break is LF or CRLF.

What doesn’t work in most cases

I have seen people use rex with sed mode and fail to make it work.

| rex field=body mode=sed "s/\\n/,\n/g" | ...;

I have seen people do trying to use makemv and fail.