https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654977#M226258 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>,</P><P>yes I supposed this, for this reason I hinted to do this!</P><P>Could you share some sample of your logs?</P><P>Ciao.</P><P>Giuseppe</P> Sun, 20 Aug 2023 16:33:06 GMT gcusello 2023-08-20T16:33:06Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654972#M226254 <P>Hi Splunk Experts,</P> <P>I'm trying to list all the events on same timestamp and trying to capture only the required lines. But I'm not getting the expected results, seems like there is no "\n" in the aggregated event eventhough it breaks into new lines. Kindly shred some lights. Thanks in advance!!</P> <P>&nbsp;</P> <P>I've events something like below, after aggregating them by _time:</P> <P>&nbsp;</P> <LI-CODE lang="markup">Line1 blablabla Line2 blablabla &lt;Interested line1&gt; &lt;Interested line2&gt; &lt;Interested line3&gt; &lt;Ends Here&gt; Unwanted Line blablabla</LI-CODE> <P>&nbsp;</P> <P><BR />Query Using:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=xxx | reverse | stats list(_raw) as raw by _time | rex field=raw "(?&lt;Events&gt;(\&lt;Interested.*)((\n.*)?)+\&lt;Ends Here\&gt;)"</LI-CODE> <P>&nbsp;</P> <P><BR />Result for the Above query:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;Interested line1&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 21 Aug 2023 19:45:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654972#M226254 Thulasinathan_M 2023-08-21T19:45:48Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654974#M226255 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>,</P><P>did you tried to invert the two commands?</P><LI-CODE lang="markup">index=xxx | bin span=1h _time | rex "(?&lt;Events&gt;(\&lt;Interested.*)((\n.*)?)+\&lt;Ends Here\&gt;)" | stats values(Events) AS Events BY _time</LI-CODE><P>In addition, when you use _time as grouping key, usa always a bin command to group _time values or use timechart command, otherwise you'll have too many results.</P><P>Ciao.</P><P>Giuseppe</P> Sun, 20 Aug 2023 15:12:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654974#M226255 gcusello 2023-08-20T15:12:13Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654976#M226257 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>!!<BR />But those are Single Line Events, so I can't perform REX before stats.</P> Sun, 20 Aug 2023 15:52:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654976#M226257 Thulasinathan_M 2023-08-20T15:52:13Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654977#M226258 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>,</P><P>yes I supposed this, for this reason I hinted to do this!</P><P>Could you share some sample of your logs?</P><P>Ciao.</P><P>Giuseppe</P> Sun, 20 Aug 2023 16:33:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654977#M226258 gcusello 2023-08-20T16:33:06Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654978#M226259 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Sure, Here is the sample Events, which are all of single line events.<BR /><BR /></P><LI-CODE lang="markup">index=xxx | reverse | stats list(_raw) as raw by _time | rex field=raw "(?&lt;Events&gt;(Event Type.*)((\n.*)?)+Event ID: \d+)"</LI-CODE><P><BR />Events:</P><LI-CODE lang="markup">2023-08-20 22:10:10.879 Date: 20/08/2023</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 User: DILE\Administrator</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 Event Type: Information</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 Event Source: AdsmClientService</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 Event Category: None</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 Event ID: 4101</LI-CODE><LI-CODE lang="markup">2023-08-20 22:10:10.879 Computer: MIKEDILE</LI-CODE> Sun, 20 Aug 2023 16:46:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654978#M226259 Thulasinathan_M 2023-08-20T16:46:53Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654981#M226260 <P>It looks like that your intention is to capture raw events with "Event Type" and "Event ID" in them. &nbsp;It would have been so much easier if you just describe the actual goal.</P><P>You are correct that when you use list command, the resultant field doesn't have newline "\n" in it. &nbsp;It is simply a multivalued field that Splunk's Statistics tab presents in multiple lines.</P><P>I see two different approaches to this problem. &nbsp;But before that, let me comment that you should approach your developer or aggregator, whoever made these logs into multiple events, and beg, harass, or intimidate them to combine these into a single event for Splunk. &nbsp;It will not only be better for Splunk, but also for people who may read the log files manually.</P><P>The most straightforward approach will be to not bother with regex or "\n".</P><LI-CODE lang="markup">index=xxx | reverse | stats list(_raw) as raw by _time | eval Events = mvappend(mvfind(raw, "Event Type:"), mvfind(raw, "Event End:"))</LI-CODE><P>Note "Events" here is also multi-valued. &nbsp;In my opinion, multivalued fields are more useful subsequently. &nbsp;But if you really want them to be single valued with newline, just insert newline as exemplified in the next method.</P><P>If you really, really must go with "\n", just insert it.</P><LI-CODE lang="markup">index=xxx | reverse | stats list(_raw) as raw by _time | eval raw = mvjoin(raw, " ") | rex field=raw "(?&lt;Events&gt;(Event Type.*)((\n.*)?)+Event ID: \d+)"</LI-CODE><P>&nbsp;</P> Sun, 20 Aug 2023 23:22:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/654981#M226260 yuanliu 2023-08-20T23:22:25Z https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/655005#M226270 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>,</P><P>as I said, you can extract fields before the stats command and then use the xtracted field (or fields) in addition to the entire raw:</P><P>&nbsp;</P><LI-CODE lang="markup">index=xxx | rex "(?&lt;Events&gt;(Event Type.*)((\n.*)?)+Event ID: \d+)" | stats list(_raw) AS raw values(Event_Type) AS Event_Type BY _time</LI-CODE><P>&nbsp;</P><P>if you want you can extract also the other fields in the same way, always before the stats command.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 21 Aug 2023 09:18:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-all-the-events-on-same-timestamp-and-capture-only/m-p/655005#M226270 gcusello 2023-08-21T09:18:45Z