topic Re: How to split a fieldvalue at the very first line break? in Getting Data In

How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 07:40:34 GMT

Hi,

I want to split up a fieldvalue into two parts at the very first linebreak (in total there is an unknown amount of linebreaks)

Here is an example.

Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
...

Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...

I want to cut after the first linebreak and ignore all following linebreaks. So that in the end the bold is fieldA and the rest is fieldB

Thanks in advance

Re: How to split a fieldvalue at the very first line break?

gcusello — Wed, 26 Jul 2017 07:51:01 GMT

Hi
did you tried something like this

(?<your_field>[^\n]*)\n

(?<your_field>[^ ]*)\n

Bye.
Giuseppe

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 08:05:36 GMT

Unfortunately I'm not familiar with rex commands. Can you give me a hint how to adopt this?
I tried

| rex field=fieldA (?[^ ]*)\n

But Splunk tells me
Error in 'SearchParser': Missing a search command before '^'.

PS: I don't know why this comment function rejects parts of my entered command after submitting it 😞

Re: How to split a fieldvalue at the very first line break?

gcusello — Wed, 26 Jul 2017 08:58:36 GMT

if you use this regex in a field you can write
(?[^ ]*)\n
if instead you use it in a search, you must put regex in brackets, write

Your_search
| rex "(?<your_field>[^ ]*)\n"
| ...

try both the solutions ( [^ ] and [^\n])

Bye.
Giuseppe

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 09:06:45 GMT

thanks for the clarification. Both options don't change the fieldvalue

Re: How to split a fieldvalue at the very first line break?

gcusello — Wed, 26 Jul 2017 09:18:41 GMT

could you share another example of your log?
Bye.
Giuseppe

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 09:26:07 GMT

Here is an example.

I want to cut after the first linebreak, so that the bold is fieldA and the rest is fieldB

Re: How to split a fieldvalue at the very first line break?

gcusello — Wed, 26 Jul 2017 09:34:28 GMT

try

(?<field1>[^\r\n]*)\n(?<field2>.*)

you can test it at https://regex101.com/r/10IbYY/1

Bye.
Giuseppe

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 09:41:04 GMT

this seems to be a step in the right direction. the field is separated, but field2 only shows the part until the next linebreak appears. can we ignore all linebreaks afterwards?

Re: How to split a fieldvalue at the very first line break?

gcusello — Wed, 26 Jul 2017 10:52:20 GMT

strange in my regex101 test field2 takes all until the end...
anyway try

(?s)(?<field1>[^\r\n]*)\n(?<field2>.*)

see it at https://regex101.com/r/10IbYY/2

Bye.
Giuseppe

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Wed, 26 Jul 2017 12:23:21 GMT

thanks, that looks very promising! I recognized some cases where it does not work. any idea why for this example here:

java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

In Splunk field1 is empty. field2 is:
at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

Re: How to split a fieldvalue at the very first line break?

woodcock — Wed, 26 Jul 2017 16:49:31 GMT

Like this:

... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"

Re: How to split a fieldvalue at the very first line break?

HeinzWaescher — Thu, 27 Jul 2017 07:30:58 GMT

this seems to work all cases 🙂 thanks

Re: How to split a fieldvalue at the very first line break?

gcusello — Thu, 27 Jul 2017 08:38:37 GMT

I cannot see if there's a newline for each line.
Putting this example in regex101, all the three lines are in field1, if I insert a newline after the first, all logs are correctly read (the first in field1 and the others in field2).
Probably there's only one newline in these records.

Bye.
Giuseppe