topic Re: Regex : Keep Left Indention in Splunk Search

Regex : Keep Left Indention

Sukisen1981 — Sat, 14 Jul 2018 07:33:06 GMT

Hi,
I have logs like this : Exception in thread "main" java.lang.RuntimeException: Some other message at Exceptions.main(Exceptions.java:4) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147) Caused by: java.lang.RuntimeException: Some message at Exceptions.main(Exceptions.java:3)
These are my raw events and I am able to extract them using regex, my issue is the left indentation for the first line and "Caused by" is of course, missing when i extract them using regex. Currently my regex return something like this:Exception in thread "main" java.lang.RuntimeException: Some other message at Exceptions.main(Exceptions.java:4) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147) Caused by: java.lang.RuntimeException: Some message at Exceptions.main(Exceptions.java:3)
Is there a way to preserve the left indentation wherever applicable?

Re: Regex : Keep Left Indention

jkat54 — Sat, 14 Jul 2018 08:45:25 GMT

You can use rex in sed mode to remove spaces at the beginning of lines in your field.

| rex field=yourFieldName mode=sed “s/^\s+//g”

Re: Regex : Keep Left Indention

Sukisen1981 — Sat, 14 Jul 2018 08:50:31 GMT

Hi yes, the sed mode is one option, and I was not clear on stating my initial needs. I meant , can something apply to this extraction in specific only?
I have other raw fields with lines having indentation and I do not want them to retain their original indents. The other set should come without indents. When i apply the sed regex above it applies to all my raw events, and i don't want that

Re: Regex : Keep Left Indention

jkat54 — Sat, 14 Jul 2018 09:16:21 GMT

Change field=yourFieldName to the field name that you want to apply this to. By default it uses _raw which is all the data.

Re: Regex : Keep Left Indention

Sukisen1981 — Sat, 14 Jul 2018 09:20:24 GMT

Hi, Thanks a lot. I am a bit under the weather today, but I feel we are pretty near, the issue here is I am trying this on _raw field and I have to as these are raw log entries. So, how can I assign a field name here?
If i assign _raw it of course takes all the events AND I have to apply this to the _raw events.
Just one step away I guess :)?

Re: Regex : Keep Left Indention

jkat54 — Sat, 14 Jul 2018 11:16:05 GMT

I’m confused. Can you share a screenshot of your search and the results?

Re: Regex : Keep Left Indention

woodcock — Sat, 14 Jul 2018 22:00:57 GMT

I cover this in in this Q&A but the problem is that Splunk presents newlines in data as spaces and there is NO way to change this. The work-around is to split the field into a multi-valued field at each newline:

https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html