Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction with Multiline and Single line mi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rangarbus
Path Finder
12-13-2020
08:06 PM
Hi Team:
Here on the Extraction for Event 2, the MESSAGE field is extracted as empty as its not multiline.
How should i extract MESSAGE for both multiline and single line.?
Query:
index=abcd sourcetype=fallback
| rex field=_raw "^(?P<DATETIME>[^,]+),\d+\s+\[(?P<DAEMON>[^\]]+)\]\s+(?P<SEV>[^ ]+)\s+(?P<CLASS>[^ ]+)\s+\-\s+(?P<MESSAGE>(.*[\r\n]+)*)"
| table DATETIME, DAEMON, SEV, CLASS, MESSAGEEvent 1:
2020-12-07 17:43:02,075 [ABCD_Daemon1] WARN ABCD_CLASS1 - Failed to process
java.lang.InterruptedException
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2014)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2048)
at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:403)
at db.$EmailNotifierDaemon.run(asdasd.java:1133)Extracted as:
DATETIME : 2020-12-07 17:43:02
DAEMON: ABCD_Daemon1
SEV: WARN
CLASS: ABCD_CLASS1
MESSAGE: Failed to process
java.lang.InterruptedException
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2014)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2048)
at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:403)
at db.$EmailNotifierDaemon.run(asdasd.java:1133)
Event 2:
2020-12-07 16:12:14,273 [ABCD_Daemon2] INFO ABCD_CLASS2 - Got notification for external configuration change, cleaning caches.Extracted as:
DATETIME : 2020-12-07 16:12:14
DAEMON: ABCD_Daemon2
SEV: INFO
CLASS: ABCD_CLASS2
MESSAGE:Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-13-2020
11:48 PM
Try adding the new line as not mandatory
change to
(?P<MESSAGE>(.*[\r\n]?+)*)
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
12-13-2020
11:48 PM
Try adding the new line as not mandatory
change to
(?P<MESSAGE>(.*[\r\n]?+)*)
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
