In my environment the following servers exist.
windows 2012 R2
Splunk 6.5.2
On this server, when trying to export logs in csv format on Splunk web, the line breaking twice and outputted with blank line between each line.
I suspected a misconfiguration of a specific log, but even if I exported _internal log, a line breaking was done.
After converting it to binary format and confirming it, I found that the first line feed was done in CR format and the second line feed seemed to be done in CRLF format.
I think that it caused by reconverting only the LF part of the line feed in CRLF format into CRLF again.
I predicted that the following phenomena might be occurring.
###############
_raw ~ CRLF (* At this time still a single line break)
_raw ~ CR CRLF (* LF is converted to CRLF, and the number of line feeds is twice.)
###############
Is this a known issue?
↧