https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85518#M21857 <P>How can i break this lines ?</P> <P>I used this regex but i can't obtain multiple data of each event with lot uid:</P> <P>Regex:<BR /><BR /><BR /> [ldif]<BR /> EXTRACT-ldifid = uniqueMember:\suid=(?<LDIFID>[^\,]+)</LDIFID></P> <P>uniqueMember: uid=b072psre,ou=people,o=b072,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ghna,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044aaqu,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044mgcr,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044aasa,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ogre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ggre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b132mdga,ou=people,o=b132,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b830gosa,ou=People,o=B830,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b132vhga,ou=People,o=B132,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp</P> <P>Show all 242 lines<BR /><BR /><BR /> • host=ldif-locales<BR /><BR /> • source=OperadoresLocales.ldif<BR /><BR /> • sourcetype=ldif<BR /><BR /> • uid=b072psre<BR /><BR /> • ldifid=b072psre</P> <P>I want extract the values of the consecutive rows, then i can make a top of "uid"s, Splunk only returns one "uid" for each log.</P> Fri, 11 Jan 2013 18:49:54 GMT nettrigger 2013-01-11T18:49:54Z https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85518#M21857 <P>How can i break this lines ?</P> <P>I used this regex but i can't obtain multiple data of each event with lot uid:</P> <P>Regex:<BR /><BR /><BR /> [ldif]<BR /> EXTRACT-ldifid = uniqueMember:\suid=(?<LDIFID>[^\,]+)</LDIFID></P> <P>uniqueMember: uid=b072psre,ou=people,o=b072,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ghna,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044aaqu,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044mgcr,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044aasa,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ogre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b044ggre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b132mdga,ou=people,o=b132,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b830gosa,ou=People,o=B830,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp<BR /> uniqueMember: uid=b132vhga,ou=People,o=B132,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp</P> <P>Show all 242 lines<BR /><BR /><BR /> • host=ldif-locales<BR /><BR /> • source=OperadoresLocales.ldif<BR /><BR /> • sourcetype=ldif<BR /><BR /> • uid=b072psre<BR /><BR /> • ldifid=b072psre</P> <P>I want extract the values of the consecutive rows, then i can make a top of "uid"s, Splunk only returns one "uid" for each log.</P> Fri, 11 Jan 2013 18:49:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85518#M21857 nettrigger 2013-01-11T18:49:54Z https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85519#M21858 <P>You need to add the directive <CODE>MV_ADD = true</CODE> in props.conf. By default Splunk will just extract one value and then stop - but if you specify <CODE>MV_ADD = true</CODE> it will continue matching and create a multivalued field holding all values.</P> Fri, 11 Jan 2013 19:39:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85519#M21858 Ayn 2013-01-11T19:39:22Z https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85520#M21859 <P>Thank you ! The lines is broken now ! But i don't understand why some lines is together yet.</P> Tue, 22 Jan 2013 19:13:06 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-break-multiple-lines-of-a-log/m-p/85520#M21859 nettrigger 2013-01-22T19:13:06Z