topic Re: Is there a way to capture the last line/sentence of the log in a field? in Splunk Search

Is there a way to capture the last line/sentence of the log in a field?

Cheng2Ready — Tue, 13 Aug 2024 00:53:24 GMT

There is no Pattern or punctuation so running Regex might not work in this situation since I cant know what kind of Error or pattern will appear in the final line/sentence in the field.
the last sentence can be anything and unpredictable so just wanted to see if there is a way to grab the last line of log that is in the field.

This example most likely wont help but paints a picture that I just want the last line.

index=example
|search "House*"
|table Message

log looks similar like this:

Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example /local/line499
D://example ......a bunch of sensative information
D://example /crab/lin650
D://example ......a bunch of sensative information
D://user/local/line500

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : someone stepped on the wire.

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://user/local/line980 ,indo

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : Simon said Look

Goal:
D://user/local/line500
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look

I hope this makes sense....

Re: Is there a way to capture the last line/sentence of the log in a field?

KendallW — Tue, 13 Aug 2024 01:28:42 GMT

Hi @Cheng2Ready Yes, you just have to split each line of the field as a separate event, then you can use stats last to grab the last line:

index=example "House*" Message=* | makemv Message | mvexpand Message | stats last(Message) as last_line

Re: Is there a way to capture the last line/sentence of the log in a field?

Cheng2Ready — Tue, 13 Aug 2024 15:14:52 GMT

@KendallW Thank you for the response
but it returned only a single word no the whole sentence

('testing',

when I table it it splits it into like this:

Starting logs

recent

logs) :

( most
😧

"/example ......a bunch of sensative information"

Error:

someone stepped on the wire.

Goal is to have it like this:
D:"//user/local/line500"
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look

Re: Is there a way to capture the last line/sentence of the log in a field?

yuanliu — Wed, 14 Aug 2024 04:40:52 GMT

I don't know how to extract last sentence, but last line is easy.

| eval lastline = mvindex(split(Message, " "), -1)

Here is a data emulation you can play with and compare with real data

| makeresults | fields - _* | eval Message = mvappend("Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example /local/line499 D://example ......a bunch of sensative information D://example /crab/lin650 D://example ......a bunch of sensative information D://user/local/line500", "Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : someone stepped on the wire", "Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://user/local/line980 ,indo", "Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : Simon said Look") | mvexpand Message ``` the above emulates index=example "House*" ```

Output using this emulation is

Message	lastline
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example /local/line499 D://example ......a bunch of sensative information D://example /crab/lin650 D://example ......a bunch of sensative information D://user/local/line500	D://user/local/line500
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : someone stepped on the wire	Error : someone stepped on the wire
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://user/local/line980 ,indo	D://user/local/line980 ,indo
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : Simon said Look	Error : Simon said Look