My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so.
Here is an extract from that long log file of 3 HDDs 1 of which is faulty.
15.5 : DRACKA z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk) 15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed) 15.7 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk)
I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor.
Extracted field could be called "failed_disk_error" and the result would be
15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
not related to this question, but, something strange related to "answers.splunk.com"...
this post was created only 4 days back, but it says 2k views for this post.
the similar posts created on the same day are having only 70 or 80 or 100 views !!!