https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68933#M13947 <P>Hello,</P> <P>I have a log that the customer wants to have parsed and put in to the dashboard. The log is pretty awkward and I'm not sure how to rex out the following:</P> <P>Message Content (Buffer Size is 65536 bytes):<BR /> 282 of 40000 Containers in use.<BR /> 271 of 40000 Buffers in use.<BR /> 8 Containers in use longer than 60.0 seconds.<BR /> Message Metadata (Buffer Size is 16384 bytes):<BR /> 40 of 20000 Containers in use.<BR /> 117 of 20000 Buffers in use.<BR /> 0 Containers in use longer than 60.0 seconds.<BR /> Transaction Log (Buffer Size is 8192 bytes):<BR /> 16 of 8192 Containers in use.</P> <P>So there are 3 events in each log entry and multiple values for each event. What is the best way of doing this?</P> <P>Thanks,</P> <P>Rick</P> Wed, 06 Jun 2012 19:36:52 GMT rjyetter 2012-06-06T19:36:52Z https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68933#M13947 <P>Hello,</P> <P>I have a log that the customer wants to have parsed and put in to the dashboard. The log is pretty awkward and I'm not sure how to rex out the following:</P> <P>Message Content (Buffer Size is 65536 bytes):<BR /> 282 of 40000 Containers in use.<BR /> 271 of 40000 Buffers in use.<BR /> 8 Containers in use longer than 60.0 seconds.<BR /> Message Metadata (Buffer Size is 16384 bytes):<BR /> 40 of 20000 Containers in use.<BR /> 117 of 20000 Buffers in use.<BR /> 0 Containers in use longer than 60.0 seconds.<BR /> Transaction Log (Buffer Size is 8192 bytes):<BR /> 16 of 8192 Containers in use.</P> <P>So there are 3 events in each log entry and multiple values for each event. What is the best way of doing this?</P> <P>Thanks,</P> <P>Rick</P> Wed, 06 Jun 2012 19:36:52 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68933#M13947 rjyetter 2012-06-06T19:36:52Z https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68934#M13948 <P>I would use SHOULD_LINEMERGE = true, treat the whole thing as one event, then you can rex it as a single multi-line event. Yeah, that's ugly, and your regex would be something like </P> <P><CODE>Message\sContent.*(?&lt;content_containers&gt;\d+)\sof\s(?&lt;content_containers_max&gt;\d+)...</CODE></P> Wed, 06 Jun 2012 19:46:18 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68934#M13948 sowings 2012-06-06T19:46:18Z https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68935#M13949 <P>Are the 3 'sub-events' listed above always present in each event? <BR /> In that order? <BR /> Are they always the same (Message Content, Message Metadata, Transaction Log)?<BR /> Which values do you want to extract - just the 282, 271, 8, 40, 117, 0, 16? Or do you want Max values and buffer sizes etc as well?</P> <P>/k</P> Thu, 07 Jun 2012 13:11:39 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68935#M13949 kristian_kolb 2012-06-07T13:11:39Z https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68936#M13950 <P>hi sowings</P> <P>we recently integrate the aix servers with splunk. <BR /> when we see the audit logs in system itself it is showing the logs in two lines. and in splunk it only shows the first line.<BR /> how to fix that issue</P> Tue, 10 Jan 2017 13:53:25 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-log/m-p/68936#M13950 rashid47010 2017-01-10T13:53:25Z