topic Re: how to match new lines in splunk in Splunk Search

how to match new lines in splunk

ankithreddy777 — Thu, 09 Feb 2017 22:33:02 GMT

I have a event as below

nam=this is org name;
-this is hyta name;
-this is hju name;
falu= this is gao name

I need to match multiple lines. until the line "falu=". May I know how to match multiple lines.

Re: how to match new lines in splunk

somesoni2 — Thu, 09 Feb 2017 22:45:34 GMT

Give this a try

your base search | rex "name=(?<YourField>(.+[\r\n]+)falu="

Re: how to match new lines in splunk

woodcock — Sat, 18 Feb 2017 22:56:42 GMT

You need to specify multiline like this:

Your Base Search | rex "(?ms)name=(?<YourField>(.+)[\r\n]+falu="

Re: how to match new lines in splunk

aaraneta_splunk — Sun, 12 Mar 2017 21:26:30 GMT

@ankithreddy777 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.