topic Re: How do you extract multiline fields based on a different string? in Splunk Search

How do you extract multiline fields based on a different string?

AKG1_old1 — Mon, 21 Jan 2019 15:31:03 GMT

Hi,

I am looking to extract fields from multi line events. I have two different types of events. I'm looking to distinguish based of matching string.

Type 1:
Matching String = Full GC

Type 2:
Matching String = GC Pause

In both events, I need to extract the same details.

 [Eden: 114.0M(114.0M)->0.0B(111.0M) Survivors: 11.0M->12.0M Heap: 231.3M(270.0M)->118.7M(270.0M)]

Sample Data:

2019-01-17T15:59:28.172+0100: 3093.554: [GC pause (G1 Evacuation Pause) (young), 0.1252055 secs]
   [Parallel Time: 69.7 ms, GC Workers: 11]
      [GC Worker Start (ms): Min: 3093555.2, Avg: 3093558.8, Max: 3093566.0, Diff: 10.8]
      [Ext Root Scanning (ms): Min: 0.0, Avg: 1.6, Max: 8.4, Diff: 8.4, Sum: 17.4]
      [Update RS (ms): Min: 0.0, Avg: 1.1, Max: 2.3, Diff: 2.3, Sum: 12.0]
         [Processed Buffers: Min: 0, Avg: 7.5, Max: 33, Diff: 33, Sum: 83]
      [Scan RS (ms): Min: 0.2, Avg: 1.7, Max: 2.8, Diff: 2.6, Sum: 18.9]
      [Code Root Scanning (ms): Min: 0.0, Avg: 0.9, Max: 9.0, Diff: 9.0, Sum: 9.8]
      [Object Copy (ms): Min: 53.7, Avg: 60.6, Max: 63.1, Diff: 9.4, Sum: 666.4]
      [Termination (ms): Min: 0.0, Avg: 0.0, Max: 0.0, Diff: 0.0, Sum: 0.0]
         [Termination Attempts: Min: 1, Avg: 1.0, Max: 1, Diff: 0, Sum: 11]
      [GC Worker Other (ms): Min: 0.0, Avg: 0.1, Max: 0.1, Diff: 0.1, Sum: 0.9]
      [GC Worker Total (ms): Min: 58.8, Avg: 65.9, Max: 69.6, Diff: 10.8, Sum: 725.4]
      [GC Worker End (ms): Min: 3093624.7, Avg: 3093624.7, Max: 3093624.8, Diff: 0.1]
   [Code Root Fixup: 0.2 ms]
   [Code Root Purge: 0.1 ms]
   [Clear CT: 1.3 ms]
   [Other: 54.0 ms]
      [Choose CSet: 0.0 ms]
      [Ref Proc: 44.6 ms]
      [Ref Enq: 1.0 ms]
      [Redirty Cards: 0.4 ms]
      [Humongous Register: 1.1 ms]
      [Humongous Reclaim: 0.0 ms]
      [Free CSet: 6.1 ms]
   [Eden: 16.5G(16.5G)->0.0B(16.4G) Survivors: 272.0M->456.0M Heap: 18.2G(28.0G)->1871.9M(28.0G)]
 [Times: user=1.22 sys=0.03, real=0.12 secs] 
2019-01-17T16:00:39.144+0100: 3164.525: [Full GC (Heap Inspection Initiated GC)  5595M->1101M(28G), 4.2044268 secs]
   [Eden: 3720.0M(16.4G)->0.0B(16.8G) Survivors: 456.0M->0.0B Heap: 5595.9M(28.0G)->1101.3M(28.0G)], [Metaspace: 187278K->187274K(1216512K)]
 [Times: user=5.76 sys=0.06, real=4.20 secs]

Re: How do you extract multiline fields based on a different string?

harsmarvania57 — Mon, 21 Jan 2019 15:43:00 GMT

It will be good if you provide some sample data instead of screenshot.

Re: How do you extract multiline fields based on a different string?

harsmarvania57 — Mon, 21 Jan 2019 15:49:21 GMT

Hi,

Can you please try this?

<yourBaseSearch> | rex field=_raw "(?s)(?:GC\spause|Full\sGC).*\[Eden\:\s(?<extracted_field>[^\]]*)"

Re: How do you extract multiline fields based on a different string?

AKG1_old1 — Mon, 21 Jan 2019 15:54:09 GMT

@harsmarvania57 : added sample data to question.

Re: How do you extract multiline fields based on a different string?

harsmarvania57 — Mon, 21 Jan 2019 15:57:17 GMT

Can you please try regex which I have provided ?

Re: How do you extract multiline fields based on a different string?

AKG1_old1 — Mon, 21 Jan 2019 16:01:47 GMT

yeap, I 'll try that. regex looks fine to me havn't tried it Splunk will try and update you. Thank you 🙂

Re: How do you extract multiline fields based on a different string?

woodcock — Mon, 21 Jan 2019 16:11:23 GMT

Use this RegEx:

:\s+\d+\.\d+:\s+\[(?<matching_string>\w+\s+\w+)

See here:
https://regex101.com/r/NUVWoD/1