Regex parse message to multiple lines help

kevincai79 · ‎04-13-2020

I have a below message:
[32minfo[39m: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test

How do I use the splunk query to show the message as below:
brand market testing1.html
brand market testing2.html
brand market testing3.html

i've spent hours trying and I just could not got it right.

Thanks for your help.

harishalipaka · ‎04-14-2020

Hi @kevincai79

try this --

|makeresults |eval hari="[32minfo[39m: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test" |table hari |rex field=hari "\] (?<Newfield>.*) were" |eval hari=trim(split(Newfield,",")) |rex field=hari mode=sed "s/\// /g" |table hari

Thanks
Harish

manjunathmeti · ‎04-14-2020

Use rex command with max_match=0. Try this.

| makeresults 
| eval _raw="[32minfo[39m: [Clean Storage] brand/market/testing1.html, brand/market/testing2.html, brand/market/testing3.html were successfully deleted from container stores-test" 
| rex max_match=0 "(?<message>[\w\/]+.html)" 
| mvexpand message 
| eval message=replace(message, "/", " ") 
| table message

vnravikumar · ‎04-14-2020

Please use Code Sample or Ctrl + K to post your sample message.

Regex parse message to multiple lines help

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Regex parse message to multiple lines help

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits