Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ignore data after CRLF

donemery
Explorer
‎06-20-2018 10:58 AM

When running a search the _raw field returns results that typically end with the ] character. On a rare occasion the search has a CRLF and additional lines of data. I am trying to figure a way to ignore anything beyond the last ] or after a CRLF.

Example 1:
Jun 14 13:00:00 -07:00 HOSTNAME condition is inside brackets

Example 2:
Jun 14 13:00:00 -07:00 HOSTNAME [condition is inside brackets]
Jun 14 13:00:00 -07:00 HOSTNAME [unexpected results here]

My goal in example 2 is to only return the results of the first line.

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 04:42 PM

You are not going to like this answer but the problem is not in your searching, it is in your forwarding. These events are not properly line-broken. Somebody has either redefined LINE_BREAKER or turned on SHOULD_LINEMERGE = true. You need to find the props.conf settings on the Indexers or HF for this sourcetype and fix the line-breaking. Then you will not have this problem AND the data will be correct for everybody, without mis-joined events.

0 Karma
Reply

donemery
Explorer
‎07-20-2018 08:07 AM

Thanks for your help! We were working on fixing the configuration issue as well and fortunately it is resolved now.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎06-20-2018 05:19 PM

Give this a try: 

| rex "\](?:\s*\((?<results_normal>[^\)]*)|[^\[]+\[(?<result_unusual>[^\]]*))" | table results_normal result_unusual _raw
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎06-20-2018 05:27 PM

Actually this might be closer to what you need if you just want to delete everything after the first line:

| rex mode=sed field=_raw "s/\r?\n[\s\S]*//"
Reply

donemery
Explorer
‎06-21-2018 07:40 AM

Both options worked for me. Thanks so much for your help!

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎06-20-2018 05:33 PM

Just in case that one doesn't work, give this a try too:
| rex mode=sed field=_raw "s/][\s\S]*/]/"

0 Karma
Reply

DalJeanis
Legend
‎06-20-2018 05:14 PM

I've posted this as a little regex challenge in the #regex channel of the splunk slack channel. you should get a way to do this shortly.

the general form of this is 

| rex mode=sed field=_raw "s/thing you want to change/thing you want to change it to/g"

...so in between the first two /, you need to match CRLF and then everything to the end of the event, and then put nothing between the second and third /.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...