https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155759#M185714 <P>Your REGEX line is not the same as mine. The asterisks are critical. If you want "position" to remain with the first event, try this regex:</P> <PRE><CODE>(.*position)(?=[^:])(.*) </CODE></PRE> Wed, 10 Dec 2014 20:22:31 GMT richgalloway 2014-12-10T20:22:31Z https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155756#M185711 <P>Hello,</P> <P>i have an application that has an bug in the logging, but i need to workaround it. </P> <P>log structure:</P> <PRE><CODE>Dec 10 13:21:09 abc: request: Session: ****** User-Agent: ******** Content-Length: **** Content-Type: ********* positionDec 10 13:22:09 abc: reply: Session: ******** Date: 2014-12-09T14:33:09Z Range: ***** Scale: **** Content-Type: **** Content-Length: *** position: ****** </CODE></PRE> <P>this are two events. in the request event it writes at the and in the beginning of the replay message "position:"</P> <P>i tried already with seed to remove the "position:" - but it is valid in the replay event and it would remove this one as well. </P> <P>i guess i need to do it via transforms.conf as it needs to be done before we check for the timestamp, otherwise the full line will be used to the event to detect the timestamp. </P> <P>i tried to add via transforms a line break, but did not work.</P> <PRE><CODE>[position-fix] REGEX = (?m)^(.*)position.* FORMAT = $1\n position1$2 DEST_KEY = _raw </CODE></PRE> <P>thanks a lot for any advice.</P> Wed, 10 Dec 2014 12:30:41 GMT https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155756#M185711 mmaier_splunk 2014-12-10T12:30:41Z https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155757#M185712 <P>The following should remove the stray "position"</P> <PRE><CODE>REGEX = (.*)position(?=[^:])(.*) FORMAT = $1\n$2 DEST_KEY = _raw </CODE></PRE> Wed, 10 Dec 2014 14:45:51 GMT https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155757#M185712 richgalloway 2014-12-10T14:45:51Z https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155758#M185713 <P>Hi richgalloway,</P> <P>your suggestion doesn't work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>props.conf:</P> <PRE><CODE>[abc_xyzprovider] BREAK_ONLY_BEFORE = abc: MAX_TIMESTAMP_LOOKAHEAD = 15 NO_BINARY_CHECK = 1 TIME_FORMAT = %b %d %H:%M:%S TRANSFORMS-positionfix = position-fix TZ = UTC pulldown_type = 1 </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[position-fix] REGEX = (.)position(?=[^:])(.) FORMAT = $1\n$2 DEST_KEY = _raw </CODE></PRE> <P>Still the "position" element (which belongs to the last event) is shown in the next event.</P> Wed, 10 Dec 2014 19:37:58 GMT https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155758#M185713 lrudolph 2014-12-10T19:37:58Z https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155759#M185714 <P>Your REGEX line is not the same as mine. The asterisks are critical. If you want "position" to remain with the first event, try this regex:</P> <PRE><CODE>(.*position)(?=[^:])(.*) </CODE></PRE> Wed, 10 Dec 2014 20:22:31 GMT https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155759#M185714 richgalloway 2014-12-10T20:22:31Z https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155760#M185715 <P>Sorry, copy &amp; paste must have missed something. But also with correct regex the result is:</P> <PRE><CODE>\nDec 9 14:33:09 abc: reply: </CODE></PRE> <P>Sideeffect is also that everything that comes after this first line from the event is somehow deleted.</P> Thu, 11 Dec 2014 07:02:16 GMT https://community.splunk.com/t5/Splunk-Search/Modifying-multi-line-event-before-indexing/m-p/155760#M185715 lrudolph 2014-12-11T07:02:16Z