Solved: match multi-line event

bob87 · ‎12-17-2012

I am indexing multi-line events and would like to exclude events like the following:

2012-12-04 16:29:22.402 Some text failed:
From: ExecuteViewBasedLookupCC::Execute
Type: LogicError
Severity: Critical
Text: (vector (Null-null) 3.60206e+11 )

The rule for excluding events is the text ExecuteViewBasedLookupCC followed by (Null-null). I am using the following regular expression to match this event and redirect it to nullQueue:

REGEX=(?m)^.*ExecuteViewBasedLookupCC(?=.*(Null-null))

However it is not working. Any ideas please?

Ayn · ‎12-17-2012

You need to use the s modifier as well in order to have the dot match newlines. So (?ms)

http://www.regular-expressions.info/modifiers.html

View solution in original post

Ayn · ‎12-17-2012

You need to use the s modifier as well in order to have the dot match newlines. So (?ms)

http://www.regular-expressions.info/modifiers.html

bob87 · ‎12-17-2012

thanks, that worked!

match multi-line event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation