topic Re: Extracting number of fields from a multi line event in Splunk Search

Extracting number of fields from a multi line event

hiwell — Wed, 23 Jun 2010 06:06:37 GMT

Hello,

I am trying to extract fields from an event which looks like this (I have multiple events)

total time (ms): 5 
web server processing time (ms/%): 2 40 
transmission time (ms/%): 3 60 
bytes sent/received: 100 200 
start time (ms): 1234 
end time(ms): 2345

some lines have one field, and other have two fields making it impossible for me to extract these numbers. I would like splunk to create two separate fields for the lines which have two parameters but I have not been successful in doing so. Anyone have any idea(s) to get this to work? Or is this not possible. Thanks!

Re: Extracting number of fields from a multi line event

katalinali — Wed, 23 Jun 2010 09:45:21 GMT

You may need to break every line as an event and define two regex like:

REGEX...:(\d+)\s+(\d+) FORMAT=field1::$1 field2::$2

REGEX=...:(\d+) FORMAT=field3::$1

Re: Extracting number of fields from a multi line event

hiwell — Sat, 26 Jun 2010 01:57:23 GMT

I ended up writing a script to pre-process the file to make the data Splunk-friendly.

Re: Extracting number of fields from a multi line event

hiwell — Wed, 30 Jun 2010 01:23:25 GMT

😞 it definitely pulls out a few of the fields but its very redundant and the regexes triggers for all the events giving a lot of garbage fields. Thanks though! This could be useful for other cases