Hi,
I want to split up a fieldvalue into two parts at the very first linebreak (in total there is an unknown amount of linebreaks)
Here is an example.
Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
...
Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...
I want to cut after the first linebreak and ignore all following linebreaks. So that in the end the bold is fieldA and the rest is fieldB
Thanks in advance
Like this:
... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"
this seems to work all cases 🙂 thanks
Hi
did you tried something like this
(?<your_field>[^\n]*)\n
or
(?<your_field>[^ ]*)\n
Bye.
Giuseppe
Unfortunately I'm not familiar with rex commands. Can you give me a hint how to adopt this?
I tried
| rex field=fieldA (?[^ ]*)\n
But Splunk tells me
Error in 'SearchParser': Missing a search command before '^'.
PS: I don't know why this comment function rejects parts of my entered command after submitting it 😞
if you use this regex in a field you can write
(?[^ ]*)\n
if instead you use it in a search, you must put regex in brackets, write
Your_search
| rex "(?<your_field>[^ ]*)\n"
| ...
try both the solutions ( [^ ]
and [^\n]
)
Bye.
Giuseppe
thanks for the clarification. Both options don't change the fieldvalue
could you share another example of your log?
Bye.
Giuseppe
Here is an example.
Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
...
Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...
I want to cut after the first linebreak, so that the bold is fieldA and the rest is fieldB
try
(?<field1>[^\r\n]*)\n(?<field2>.*)
you can test it at https://regex101.com/r/10IbYY/1
Bye.
Giuseppe
this seems to be a step in the right direction. the field is separated, but field2 only shows the part until the next linebreak appears. can we ignore all linebreaks afterwards?
strange in my regex101 test field2 takes all until the end...
anyway try
(?s)(?<field1>[^\r\n]*)\n(?<field2>.*)
see it at https://regex101.com/r/10IbYY/2
Bye.
Giuseppe
thanks, that looks very promising! I recognized some cases where it does not work. any idea why for this example here:
java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at
In Splunk field1 is empty. field2 is:
at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at
I cannot see if there's a newline for each line.
Putting this example in regex101, all the three lines are in field1, if I insert a newline after the first, all logs are correctly read (the first in field1 and the others in field2).
Probably there's only one newline in these records.
Bye.
Giuseppe