https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257697#M176880 <P>not related to this question, but, something strange related to "answers.splunk.com"...<BR /> this post was created only 4 days back, but it says 2k views for this post. <BR /> the similar posts created on the same day are having only 70 or 80 or 100 views !!!</P> Tue, 06 Sep 2016 15:40:33 GMT inventsekar 2016-09-06T15:40:33Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257690#M176873 <P>My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so.</P> <P>Here is an extract from that long log file of 3 HDDs 1 of which is faulty. </P> <PRE><CODE>15.5 : DRACKA z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk) 15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed) 15.7 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk) </CODE></PRE> <P>I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor. </P> <P>Extracted field could be called "failed_disk_error" and the result would be</P> <PRE><CODE>15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed) </CODE></PRE> Tue, 29 Sep 2020 10:49:01 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257690#M176873 arrowecssupport 2020-09-29T10:49:01Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257691#M176874 <P>try this</P> <P>\n*(?.<EM>Failed))\n</EM></P> <P>you can test it on <A href="https://regex101.com/" target="_blank">https://regex101.com/</A><BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 10:52:18 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257691#M176874 gcusello 2020-09-29T10:52:18Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257692#M176875 <P>If i run it under field extractor it doesn't show anything up.</P> Fri, 02 Sep 2016 11:18:11 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257692#M176875 arrowecssupport 2016-09-02T11:18:11Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257693#M176876 <P>Try this </P> <PRE><CODE>(?m)[\n]+(?&lt;failed_disk_error&gt;.*\(Failed\)) </CODE></PRE> Fri, 02 Sep 2016 11:57:02 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257693#M176876 sundareshr 2016-09-02T11:57:02Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257694#M176877 <P>sorry but there was a mistake copying the regex:</P> <PRE><CODE>\n*(?&lt;myfield&gt;.*Failed\))\n* </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 02 Sep 2016 12:28:33 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257694#M176877 gcusello 2016-09-02T12:28:33Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257695#M176878 <P>Getting the issue where we get all lines up to the match.<BR /> So not just getting the 1 line i want but loads more.</P> Fri, 02 Sep 2016 16:09:34 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257695#M176878 arrowecssupport 2016-09-02T16:09:34Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257696#M176879 <P>To have more than one line you have to add /g at the end of the regex.<BR /> You can try it on <A href="https://regex101.com/">https://regex101.com/</A><BR /> Bye.<BR /> Giuseppe</P> Sun, 04 Sep 2016 07:05:03 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257696#M176879 gcusello 2016-09-04T07:05:03Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257697#M176880 <P>not related to this question, but, something strange related to "answers.splunk.com"...<BR /> this post was created only 4 days back, but it says 2k views for this post. <BR /> the similar posts created on the same day are having only 70 or 80 or 100 views !!!</P> Tue, 06 Sep 2016 15:40:33 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257697#M176880 inventsekar 2016-09-06T15:40:33Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257698#M176881 <P>if you're satisfied of the answer, please, accept the answer.<BR /> Bye.<BR /> Giuseppe</P> Fri, 09 Sep 2016 11:15:00 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257698#M176881 gcusello 2016-09-09T11:15:00Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257699#M176882 <P>(?-s)(?^.<EM>(Failed).</EM>$)</P> <P>This was the final REX that gave me exactly what i wanted. </P> Tue, 13 Sep 2016 15:42:44 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257699#M176882 arrowecssupport 2016-09-13T15:42:44Z https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257700#M176883 <P>Sorry it didn't resolve my issue. Thank you for you time on this.</P> Tue, 13 Sep 2016 15:43:23 GMT https://community.splunk.com/t5/Splunk-Search/REX-for-Multilined-event-extract-where-line-where-match-is-found/m-p/257700#M176883 arrowecssupport 2016-09-13T15:43:23Z