topic Rex to filter To remove multiline log entry in Splunk Search

Rex to filter To remove multiline log entry

Tijil480 — Fri, 26 Mar 2021 13:33:14 GMT

Please find the below single Log entry with multiple lines:

>Validation results

Message 1) sucess: true

Message 2) sucess: false

Reason : All is an invalid log event type

Message 3) sucess: true

......

Need rex to fetch only false with reason lines.

Remaining needs to be ignored.

Tried below rex not getting proper results.

|Rex field=_raw "(?ms)(?<result>(.*)(?:true)"|table result

ITWhisperer — Fri, 26 Mar 2021 13:37:21 GMT

To just get the reason:

| rex "(?ms)sucess: false[^\n]\n(?<field>[^\n]+)"

To get both lines:

| rex "(?ms)(?<field>[^\n]+sucess: false[^\n]+\n[^\n]+)"

richgalloway — Fri, 26 Mar 2021 13:42:27 GMT

Try this

| rex "(?<result>false[\s\S]*)Message" | table result

Tijil480 — Fri, 26 Mar 2021 15:10:12 GMT

Still it fetches sucess: true

ITWhisperer — Fri, 26 Mar 2021 15:13:06 GMT

Did you try this?

richgalloway — Fri, 26 Mar 2021 16:01:14 GMT

Tijil480 — Fri, 26 Mar 2021 16:02:13 GMT

Both queries are not returning any reaults

ITWhisperer — Fri, 26 Mar 2021 16:04:55 GMT

Perhaps if you could share some more realistic log data (anonymised of course) it might help us work out what may be going wrong