Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

REX for Multilined event + extract where line where match is found

arrowecssupport
Communicator
‎09-02-2016 02:05 AM

My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so.

Here is an extract from that long log file of 3 HDDs 1 of which is faulty. 

15.5 : DRACKA    z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk)
15.6 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
15.7 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk)

I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor.

Extracted field could be called "failed_disk_error" and the result would be

15.6 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arrowecssupport
Communicator
‎09-13-2016 08:42 AM

(?-s)(?^.(Failed).$)

This was the final REX that gave me exactly what i wanted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

arrowecssupport
Communicator
‎09-13-2016 08:42 AM

(?-s)(?^.(Failed).$)

This was the final REX that gave me exactly what i wanted.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2016 08:40 AM

not related to this question, but, something strange related to "answers.splunk.com"...
this post was created only 4 days back, but it says 2k views for this post.
the similar posts created on the same day are having only 70 or 80 or 100 views !!!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-02-2016 04:57 AM

Try this 

(?m)[\n]+(?<failed_disk_error>.*\(Failed\))
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2016 03:53 AM

try this

\n*(?.Failed))\n

you can test it on https://regex101.com/
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

arrowecssupport
Communicator
‎09-02-2016 04:18 AM

If i run it under field extractor it doesn't show anything up.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2016 05:28 AM

sorry but there was a mistake copying the regex:

\n*(?<myfield>.*Failed\))\n*

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

arrowecssupport
Communicator
‎09-02-2016 09:09 AM

Getting the issue where we get all lines up to the match.
So not just getting the 1 line i want but loads more.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-04-2016 12:05 AM

To have more than one line you have to add /g at the end of the regex.
You can try it on https://regex101.com/
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:15 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

arrowecssupport
Communicator
‎09-13-2016 08:43 AM

Sorry it didn't resolve my issue. Thank you for you time on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...