Solved: Re: How to display the first 3 lines of an event t...

omuelle1 · ‎10-27-2016

Hi,

I have an alert set up that is triggered by an event that contains almost 100 lines. However, the users are only interested in the first three lines, the rest is noise to them.

Is there a way to only display the first three lines of the event without changing the sourcetype or altering anything in the backend? Like give a regex into the alert that cuts the event off after 3 lines? The lines always end with the same string: "Could not open connection"

I would appreciate some input.

Thank you,

Oliver

MattZerfas · ‎10-27-2016

Should be able to do something like this. I know the regex isn't nice and you will probably need to change it for your needs.

... | rex field=_raw "(?<FirstFewLines>(.*\n){3})" | table FirstFewLines

View solution in original post

somesoni2 · ‎10-27-2016

Give this a try

your current search | rex field=_raw "^(?<trimmed>(.+[\r\n]){3})" | eval _raw=trimmed

MattZerfas · ‎10-27-2016

Should be able to do something like this. I know the regex isn't nice and you will probably need to change it for your needs.

... | rex field=_raw "(?<FirstFewLines>(.*\n){3})" | table FirstFewLines

omuelle1 · ‎10-27-2016

Thank you guys, that was what I needed!

How to display the first 3 lines of an event that has triggered an alert?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!