topic Re: Why is the regex creating empty events from incoming data? in Splunk Search

Why is the regex creating empty events from incoming data?

derekho55 — Fri, 31 May 2019 20:19:50 GMT

I have a log text file that captures logs in this format:

----------------------------------------
Timestamp: 5/9/2019 1:16:02 AM

Message:  Blah Blah

----------------------------------------
----------------------------------------
Timestamp: 5/9/2019 1:20:05 AM

Message: Bla Bla

----------------------------------------

I'm struggling with creating a regex expression that will not treat it as a new (empty) event.

----------------------------------------
----------------------------------------

Please help. Thanks!

Re: Why is the regex creating empty events from incoming data?

aromanauskas — Fri, 31 May 2019 21:55:46 GMT

This method will break the event and remove the top and bottom dashed lines from the event.

LINE_BREAKER = (\s+-+[\n\r\s]+-+)|(\s+-+[\n\r\s]+)

Re: Why is the regex creating empty events from incoming data?

evania — Mon, 17 Jun 2019 21:56:46 GMT

Hi @derekho55 ,

Did you have a chance to check out any answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!