Re: How do I extract these lines from my sample mu...

gutter · ‎06-01-2016

Hi,

I'm trying to extract some lines from a multiline event, for example:

2016-05-17T19:40:37,022 INFO  [00000033] :sassrv - 16         PROC SQL;
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 17            CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 18            SELECT t1.DT_FECHAPRO,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 19                   t1.I1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 20                   t1.'I1 SENTIT INFORMACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 21                   t1.I2,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 22                   t1.'I2 NATURALESA OPERACIONS'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 23                   t1.I3,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 24                   t1.'I3 TIPUS COMPENSACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 25                   t1.ID_MENSAG,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 26                   t1.MISSATGE,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 27                   t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 28                   t1.PROCES,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 29                   t1.Operacions,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 30                   t1.IMPORT,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 31                   t1.QUOTA1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 32                   /* quota% */
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 33                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 34                   t1.ID_TIPCUOT1,
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 35                   t1.descripcio LABEL="DESCRIPCIO"
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 36               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 37               WHERE t1.ID_MENSAG NOT = '1144';
2016-05-17T19:40:37,024 TRACE [00000004] :sassrv - Libref=WORK Engine=V9 Member=QUERY_FOR_TDWH051_QUOTES_TA_0001 MemberType=DATA Openmode=INPUT Path=/SAS/tmp/SAS_work23F0005F0068_sasprod2/SAS_work8755005F0068_sasprod2

And I want to extract in a single field the following information:

PROC SQL;
    CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
            SELECT t1.DT_FECHAPRO,
                   t1.I1,
                   t1.'I1 SENTIT INFORMACIO'n,
                   t1.I2,
                   t1.'I2 NATURALESA OPERACIONS'n,
                   t1.I3,
                   t1.'I3 TIPUS COMPENSACIO'n,
                   t1.ID_MENSAG,
                   t1.MISSATGE,
                   t1.'Codi proces'n,
                   t1.PROCES,
                   t1.Operacions,
                   t1.IMPORT,
                   t1.QUOTA1,
                   /* quota% */
                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
                   t1.ID_TIPCUOT1,
                   t1.descripcio LABEL="DESCRIPCIO"
               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
               WHERE t1.ID_MENSAG NOT = '1144';

is it possible? Note that all the lines are only for one event.

Thanks in advance.

Alex

sundareshr · ‎06-01-2016

Assuming the data you want to extract starts with a PROC and ends with ; try this

your base search | rex field=_raw "(?<sql>PROC[\W\S]+);)" | table sql

gutter · ‎06-01-2016

Thanks sundareshr, but it doesn't give the ouput I want...

It still shows the timestamp and the other garbage:

2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 26 t1.MISSATGE,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 27 t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 28 t1.PROCES,

but we're close!

How do I extract these lines from my sample multiline event without patterns into a single field?

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Are you a member of the Splunk Community?

How do I extract these lines from my sample multiline event without patterns into a single field?

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...