https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28076#M5510 <P>Hi,</P> <P>I'm trying to search for some keywords that appear in multiple lines. I tried using regular expression in multi line mode (?m) but it does not work.</P> <P>In the search box, I put</P> <P>host=dev* | regex _raw="(?m)*POST*Can't read the image!*"</P> <P>I got the following error: Error in 'SearchOperator:regex': Invalid regex '(?m)<EM>Can't read the image!</EM>': nothing to repeat</P> <P>I'm on Splunk 4.0.8.</P> <P>Any input would be appreciated. Thank you.</P> Wed, 11 Aug 2010 06:10:31 GMT minalenan 2010-08-11T06:10:31Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28076#M5510 <P>Hi,</P> <P>I'm trying to search for some keywords that appear in multiple lines. I tried using regular expression in multi line mode (?m) but it does not work.</P> <P>In the search box, I put</P> <P>host=dev* | regex _raw="(?m)*POST*Can't read the image!*"</P> <P>I got the following error: Error in 'SearchOperator:regex': Invalid regex '(?m)<EM>Can't read the image!</EM>': nothing to repeat</P> <P>I'm on Splunk 4.0.8.</P> <P>Any input would be appreciated. Thank you.</P> Wed, 11 Aug 2010 06:10:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28076#M5510 minalenan 2010-08-11T06:10:31Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28077#M5511 <P>This is working for me with version 4.1.4.</P> <PRE><CODE>sourcetype=apilog | regex _raw="(?m)callerAction*" </CODE></PRE> <P>Data Example:</P> <PRE><CODE>#### 2010-08-10 18:52:45,177 nameSpace: content.static.API subscriber: 6129045580 callerID: TTCOV105440648-1368613 driver: content.jdbc.ContentDriver callerAction: MAR10446LA host: 10.25.50.109 connectionResult: SUCCESS Details: Successfully updated contentDB </CODE></PRE> <P>I would suggest an upgrade first.</P> <P>EDIT: Another thing that it might be throwing up on is the single quote you have in there, try escaping it: <CODE>Can\'t</CODE></P> Wed, 11 Aug 2010 06:56:00 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28077#M5511 Lamar 2010-08-11T06:56:00Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28078#M5512 <P>It does appear that the (?m) syntax should be supported by Splunk. But I am unclear why you need it in this search. If you are searching for "something" followed by "POST" followed by "something" followed by "Can't read the image!" then I think you could use</P> <PRE><CODE>host=dev* | regex _raw=".*POST.*Can't read the image!.*" </CODE></PRE> <P>If you want the exact string *POST*Can't read the image!* then you can search for</P> <PRE><CODE>host=dev* | regex _raw="\*POST\*Can't read the image!\*" </CODE></PRE> Wed, 11 Aug 2010 07:15:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28078#M5512 lguinn2 2010-08-11T07:15:40Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28079#M5513 <P>Lamar, do you really need the (?m) in your regex? I think it might work just as well without it.</P> Wed, 11 Aug 2010 07:17:04 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28079#M5513 lguinn2 2010-08-11T07:17:04Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28080#M5514 <P>Thanks for the answer.</P> <P>The word "Post" appears in a different line from "Can't read the image!" in the log files that Splunk indexed.</P> <P>2010-08-10 18:18:17,243 [http-8080-20 ][xxx.xxx.xxx.xxx]: INFO: POST /some_url<BR /> 2010-08-10 18:18:17,246 [http-8080-20 ][xxx.xxx.xxx.xxx]: DEBUG: Can't read the image!</P> Wed, 11 Aug 2010 08:34:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28080#M5514 minalenan 2010-08-11T08:34:23Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28081#M5515 <P>Thanks, Lamar. Unfortunately, I have no control over that. So, upgrading is not an option.</P> Wed, 11 Aug 2010 08:35:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28081#M5515 minalenan 2010-08-11T08:35:31Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28082#M5516 <P>You DO NOT, in fact, need the (?m) for the regex to work.</P> Wed, 11 Aug 2010 23:12:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28082#M5516 Lamar 2010-08-11T23:12:12Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28083#M5517 <P>minalenan: Additionally, reading your data below it appears that you might be consuming your data in a multiple 'event' fashion -- not a multiple 'line' fashion.</P> <P><CODE>2010-08-10 18:18:17,243 [http-8080-20 ][xxx.xxx.xxx.xxx]: INFO: POST /some_url</CODE></P> <P>As you point out, splunk is interpreting this as two separate events and I believe you won't be able to achieve pulling this together in this fashion (If that's what you're trying to do).</P> <P><CODE>2010-08-10 18:18:17,246 [http-8080-20 ][xxx.xxx.xxx.xxx]: DEBUG: Can't read the image!</CODE></P> <P>Moreover, if you're wanting to do a simple search of these events you might want to create a simple search that will look for both nuggets. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Something like this:</P> <P><CODE>host=dev* | search POST OR "Can't read the image!."</CODE></P> Thu, 12 Aug 2010 02:03:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28083#M5517 Lamar 2010-08-12T02:03:56Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28084#M5518 <P>Would this work for you? The transaction command will group events with the same ip address, where the first event has POST and the second has "Can't read the image". I arbitrarily specified that the two events should occur within 10 minutes of each other.</P> <P>This solution <STRONG>requires</STRONG> that Splunk recognizes the IP address in your events. I am assuming that the name of the IP address field is ip_addr</P> <PRE><CODE>host=dev* (post OR "Can't read the image!") | transaction ip_addr startswith=post endswith=image maxspan=10m </CODE></PRE> <P>BTW, what is the <STRONG>sourcetype</STRONG> of these events? If I knew the sourcetype, I might be able to make clearer suggestions. Thanks!</P> Thu, 12 Aug 2010 15:18:01 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28084#M5518 lguinn2 2010-08-12T15:18:01Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28085#M5519 <P>Yes, you are right. Splunk does interpret it as 2 separate events. Thanks.</P> Tue, 17 Aug 2010 06:02:14 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28085#M5519 minalenan 2010-08-17T06:02:14Z https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28086#M5520 <P>This works. The sourcetype is custom for our application. I have added sourcetype to the query to narrow down the search results more. Thanks a lot!</P> Tue, 17 Aug 2010 07:22:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-text-with-regex-multi-line-mode/m-p/28086#M5520 minalenan 2010-08-17T07:22:23Z