Solved: Grep a part of the multiline event.

sarvan7777 · ‎04-19-2018

I want to strip few rows from my log file and create a report in Splunk. Here is a sample even.

blah blah blah
blah blah blah
COUNT TOPIC COMPONENT

======= =========== ==========
586 ABC DEF
231 MNO XYZ
blah blah blah
blah blah blah

All I need is the fields count, topic and component along with the values in my report. Any input is highly appreciated

woodcock · ‎04-22-2018

Like this:

Your Base Search Here
| rex "(?msi)^COUNT\s+TOPIC\s+COMPONENT[\r\n\s=]+(?<COUNT1>\S+)\s+(?<TOPIC1>\S+)\s+(?<COMPONENT1>\S+)[\r\n\s=]+(?<COUNT2>\S+)\s+(?<TOPIC2>\S+)\s+(?<COMPONENT2>\S+)"

You now have fields: COUNT1, TOPIC1, COMPONENT1, COUNT2, TOPIC2, and COMPONENT2.

View solution in original post

woodcock · ‎04-22-2018

Like this:

Your Base Search Here
| rex "(?msi)^COUNT\s+TOPIC\s+COMPONENT[\r\n\s=]+(?<COUNT1>\S+)\s+(?<TOPIC1>\S+)\s+(?<COMPONENT1>\S+)[\r\n\s=]+(?<COUNT2>\S+)\s+(?<TOPIC2>\S+)\s+(?<COMPONENT2>\S+)"

You now have fields: COUNT1, TOPIC1, COMPONENT1, COUNT2, TOPIC2, and COMPONENT2.

sarvan7777 · ‎04-22-2018

This is just what I want. Thanks for your response

Grep a part of the multiline event.

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest