topic Re: How to create a regex or rex in a search to extract each line in a log event to separate events? in Splunk Search

How to create a regex or rex in a search to extract each line in a log event to separate events?

mani3033 — Wed, 05 Sep 2018 23:52:55 GMT

Hi Splunk Gurus - I am new to splunk, need your help on the below.

Below is how the events are getting into splunk, every event have multiple lines. Need a REX or REGEX to split every line as individual events.

15:44:26,951  INFO ALPSessionListener:21 - Session destroyed
15:44:27,437  INFO HomeController:121 - mapping -----/home
15:44:27,451  INFO AccessCardUtility:98 - In query payment method {https://alp.doc.company.com/doc/ccpwebservice/ServiceWeb.svc}
15:44:27,586  INFO HomeController:497 - User roles ----[Supervisor]
15:44:27,617  INFO ALPFilter:49 - User name:{InitialLogin}, Session Id:{x71d4QsDMRp0tpUAYH-LnEn-KRPdDPmsbgQpBLi7}, Login Date Time:{2018-09-05T15:44:27.617}, Resource accessing:{http://alp.doc.company.com/doc/WEB-INF/layout/GenericLayout.jsp}, Time Taken:{181ms}
15:44:27,904  INFO ALPInterceptor:70 - User has access to the URL/alp/ReconcileCashDrawer:{true}
15:44:27,904  INFO ReconcileCashDrawerController:121 - mapping -----/ReconcileCashDrawer
15:44:27,932  INFO ALPFilter:49 - User name:{JP19630}, Session Id:{fVrI3lxJKtjsd-IsoEr7An-14xrq}, Login Date Time:{2018-09-05T15:44:27.932}, Resource accessing:{http://alp.doc.company.com/doc/WEB-INF/layout/GenericLayout.jsp}, Time Taken:{28ms}
15:44:28,152  INFO ALPSessionListener:15 - ALP session created
15:44:28,207  INFO HandleDlsPaymentController:634 - payment response is ---org.datacontract.schemas._2004._07.Common_Payment_Common.GetPaymentInfoResponse@468bfb00
15:44:28,214  INFO RecPaymentController:71 - XML recieved {
15:44:28,214  INFO XMLUtility:51 - IN XML UTILITY
15:44:28,234  INFO ALPFilter:49 - User name:{InitialLogin}, Session Id:{gg6KJGawjksfdklafklto9ju8aQTzvaP2PLRum}, Login Date Time:{2018-09-05T15:44:28.234}, Resource accessing:{http://alp.doc.company.com/doc/settleSuccessful}, Time Taken:{783ms}
15:44:28,266  INFO ALPProductLlpsDAO:130 - number of products passed are {2}
15:44:28,346  INFO ALPSessionListener:15 - ALP session created

Re: How to create a regex or rex in a search to extract each line in a log event to separate events?

493669 — Thu, 06 Sep 2018 11:52:31 GMT

try this in props.conf

[sourcetype_name]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

Re: How to create a regex or rex in a search to extract each line in a log event to separate events?

inventsekar — Thu, 06 Sep 2018 12:09:26 GMT

Hi Mani.. this whole logs is a single event?!?!
by using regex, do you want to get single line as a separate "event"?!?!?

Need a REX or REGEX to split every line as individual events //
once indexed, we can not use rex/regex to split the events to individual events..

by rex/regex, we can "extract" the lines and then do some calculations/reportings, etc..

Re: How to create a regex or rex in a search to extract each line in a log event to separate events?

imthesplunker — Thu, 06 Sep 2018 13:30:15 GMT

Try in props.conf.

[sourcetype_name]
LINE_BREAKER =  ([\r\n]+)\d{1,2}\:\d{1,2}\:\d{1,2}
SHOULD_LINEMERGE = false
TIME_FORMAT = %H:%M:%S,%3N
TIME_PREFIX = ^

Re: How to create a regex or rex in a search to extract each line in a log event to separate events?

mani3033 — Thu, 06 Sep 2018 17:18:40 GMT

Yes the app team writes the dump in to log file so many lines in one event, i used props.conf finally

Re: How to create a regex or rex in a search to extract each line in a log event to separate events?

mani3033 — Thu, 06 Sep 2018 17:19:36 GMT

Thanks for all you responses, Finally i used the props.conf instead of trying to parse in the runtime search. It worked.