Re: Extracting number of fields from a multi line ...

hiwell · ‎06-22-2010

Hello,

I am trying to extract fields from an event which looks like this (I have multiple events)

total time (ms): 5 
web server processing time (ms/%): 2 40 
transmission time (ms/%): 3 60 
bytes sent/received: 100 200 
start time (ms): 1234 
end time(ms): 2345

some lines have one field, and other have two fields making it impossible for me to extract these numbers. I would like splunk to create two separate fields for the lines which have two parameters but I have not been successful in doing so. Anyone have any idea(s) to get this to work? Or is this not possible. Thanks!

hiwell · ‎06-25-2010

I ended up writing a script to pre-process the file to make the data Splunk-friendly.

katalinali · ‎06-23-2010

You may need to break every line as an event and define two regex like:

REGEX...:(\d+)\s+(\d+) FORMAT=field1::$1 field2::$2

REGEX=...:(\d+) FORMAT=field3::$1

hiwell · ‎06-29-2010

😞 it definitely pulls out a few of the fields but its very redundant and the regexes triggers for all the events giving a lot of garbage fields. Thanks though! This could be useful for other cases

Extracting number of fields from a multi line event

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today