Archive

REX for Multilined event + extract where line where match is found

Communicator

My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so.

Here is an extract from that long log file of 3 HDDs 1 of which is faulty.

15.5 : DRACKA    z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk)
15.6 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
15.7 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk)

I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor.

Extracted field could be called "failed_disk_error" and the result would be

15.6 : DRACKA    z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
Tags (1)
0 Karma
1 Solution

Communicator

(?-s)(?^.(Failed).$)

This was the final REX that gave me exactly what i wanted.

View solution in original post

0 Karma

Communicator

(?-s)(?^.(Failed).$)

This was the final REX that gave me exactly what i wanted.

View solution in original post

0 Karma

Super Champion

not related to this question, but, something strange related to "answers.splunk.com"...
this post was created only 4 days back, but it says 2k views for this post.
the similar posts created on the same day are having only 70 or 80 or 100 views !!!

0 Karma

Legend

Try this

(?m)[\n]+(?<failed_disk_error>.*\(Failed\))

Legend

try this

\n*(?.Failed))\n

you can test it on https://regex101.com/
Bye.
Giuseppe

0 Karma

Communicator

If i run it under field extractor it doesn't show anything up.

0 Karma

Legend

sorry but there was a mistake copying the regex:

\n*(?<myfield>.*Failed\))\n*

Bye.
Giuseppe

0 Karma

Communicator

Getting the issue where we get all lines up to the match.
So not just getting the 1 line i want but loads more.

0 Karma

Legend

To have more than one line you have to add /g at the end of the regex.
You can try it on https://regex101.com/
Bye.
Giuseppe

0 Karma

Legend

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma

Communicator

Sorry it didn't resolve my issue. Thank you for you time on this.

0 Karma