How can I configure REGEX to recognize/match on a ...

the_wolverine · ‎07-16-2010

I have a REGEX configured (in transforms.conf) that works with my single line events, but appears to be failing on all multi-line events. Is there a special configuration necessary to get the REGEX to work on multi-line events?

the_wolverine · ‎07-16-2010

Correct. The regex processor is unable to handle multi-line events without additional configuration. You'll need to tell it that the event is multi-line by using (?m) before the regular expression. For example:

REGEX = (?m)^(.*)(foobar)

the_wolverine · ‎07-16-2010

LOL - duly noted. I've updated the response.

Lowell · ‎07-16-2010

Suggested change: "The regex processor is unable to handle multi-line events" may be more accurate as: "The regex processor handles multi-line events one line at a time."

How can I configure REGEX to recognize/match on a multi-line event?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

How can I configure REGEX to recognize/match on a multi-line event?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions