Getting Data In

How to split a fieldvalue at the very first line break?

HeinzWaescher
Motivator

Hi,

I want to split up a fieldvalue into two parts at the very first linebreak (in total there is an unknown amount of linebreaks)

Here is an example.

Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
...

Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...

I want to cut after the first linebreak and ignore all following linebreaks. So that in the end the bold is fieldA and the rest is fieldB

Thanks in advance

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"

View solution in original post

0 Karma

HeinzWaescher
Motivator

this seems to work all cases 🙂 thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
did you tried something like this

(?<your_field>[^\n]*)\n

or

(?<your_field>[^ ]*)\n

Bye.
Giuseppe

HeinzWaescher
Motivator

Unfortunately I'm not familiar with rex commands. Can you give me a hint how to adopt this?
I tried

| rex field=fieldA (?[^ ]*)\n

But Splunk tells me
Error in 'SearchParser': Missing a search command before '^'.

PS: I don't know why this comment function rejects parts of my entered command after submitting it 😞

0 Karma

gcusello
SplunkTrust
SplunkTrust

if you use this regex in a field you can write
(?[^ ]*)\n
if instead you use it in a search, you must put regex in brackets, write

Your_search
| rex "(?<your_field>[^ ]*)\n"
| ...

try both the solutions ( [^ ] and [^\n])

Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

thanks for the clarification. Both options don't change the fieldvalue

0 Karma

gcusello
SplunkTrust
SplunkTrust

could you share another example of your log?
Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

Here is an example.

Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

...

Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...

I want to cut after the first linebreak, so that the bold is fieldA and the rest is fieldB

0 Karma

gcusello
SplunkTrust
SplunkTrust

try

(?<field1>[^\r\n]*)\n(?<field2>.*)

you can test it at https://regex101.com/r/10IbYY/1

Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

this seems to be a step in the right direction. the field is separated, but field2 only shows the part until the next linebreak appears. can we ignore all linebreaks afterwards?

0 Karma

gcusello
SplunkTrust
SplunkTrust

strange in my regex101 test field2 takes all until the end...
anyway try

(?s)(?<field1>[^\r\n]*)\n(?<field2>.*)

see it at https://regex101.com/r/10IbYY/2

Bye.
Giuseppe

HeinzWaescher
Motivator

thanks, that looks very promising! I recognized some cases where it does not work. any idea why for this example here:

java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

In Splunk field1 is empty. field2 is:
at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

0 Karma

gcusello
SplunkTrust
SplunkTrust

I cannot see if there's a newline for each line.
Putting this example in regex101, all the three lines are in field1, if I insert a newline after the first, all logs are correctly read (the first in field1 and the others in field2).
Probably there's only one newline in these records.

Bye.
Giuseppe

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!