Hello all,
I just wanted to know if I can set new line "\n" as a delimiter for Splunk ES field mapping. If I do comma separation, the data looks quite shabby, as I'm trying to populate the description field with 8-9 fields.
I tried putting "\n" in the property, but that did not work.
I want to avoid scripting in the field mapping.
Is there any other way to achieve this?
Hey there - on the Splunk Event Profile > Field Mapping > Large multi-line string field (e.g. Description)
You can just add a return / line break (enter / return key on your keyboard) for the various fields you intend to map within the description. They will show up as a separate line - no need to script or use the delimiter.
It's a common method to leverage the format of "Field: ${Value}" for legibility.
Another tip, where you may try to do lookups and set reference fields on a best effort - (e.g. CI, Affected User), you can also map the raw string value to the Description as a fallback, in-case you are not able to to successfully match to a record in your lookup.
Reference:
Hey there - on the Splunk Event Profile > Field Mapping > Large multi-line string field (e.g. Description)
You can just add a return / line break (enter / return key on your keyboard) for the various fields you intend to map within the description. They will show up as a separate line - no need to script or use the delimiter.
It's a common method to leverage the format of "Field: ${Value}" for legibility.
Another tip, where you may try to do lookups and set reference fields on a best effort - (e.g. CI, Affected User), you can also map the raw string value to the Description as a fallback, in-case you are not able to to successfully match to a record in your lookup.
Reference:
