Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I extract these lines from my sample multiline event without patterns into a single field?

gutter
New Member
‎06-01-2016 06:21 AM

Hi,

I'm trying to extract some lines from a multiline event, for example:

2016-05-17T19:40:37,022 INFO  [00000033] :sassrv - 16         PROC SQL;
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 17            CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 18            SELECT t1.DT_FECHAPRO,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 19                   t1.I1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 20                   t1.'I1 SENTIT INFORMACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 21                   t1.I2,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 22                   t1.'I2 NATURALESA OPERACIONS'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 23                   t1.I3,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 24                   t1.'I3 TIPUS COMPENSACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 25                   t1.ID_MENSAG,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 26                   t1.MISSATGE,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 27                   t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 28                   t1.PROCES,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 29                   t1.Operacions,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 30                   t1.IMPORT,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 31                   t1.QUOTA1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 32                   /* quota% */
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 33                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 34                   t1.ID_TIPCUOT1,
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 35                   t1.descripcio LABEL="DESCRIPCIO"
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 36               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 37               WHERE t1.ID_MENSAG NOT = '1144';
2016-05-17T19:40:37,024 TRACE [00000004] :sassrv - Libref=WORK Engine=V9 Member=QUERY_FOR_TDWH051_QUOTES_TA_0001 MemberType=DATA Openmode=INPUT Path=/SAS/tmp/SAS_work23F0005F0068_sasprod2/SAS_work8755005F0068_sasprod2

And I want to extract in a single field the following information:

PROC SQL;
    CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
            SELECT t1.DT_FECHAPRO,
                   t1.I1,
                   t1.'I1 SENTIT INFORMACIO'n,
                   t1.I2,
                   t1.'I2 NATURALESA OPERACIONS'n,
                   t1.I3,
                   t1.'I3 TIPUS COMPENSACIO'n,
                   t1.ID_MENSAG,
                   t1.MISSATGE,
                   t1.'Codi proces'n,
                   t1.PROCES,
                   t1.Operacions,
                   t1.IMPORT,
                   t1.QUOTA1,
                   /* quota% */
                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
                   t1.ID_TIPCUOT1,
                   t1.descripcio LABEL="DESCRIPCIO"
               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
               WHERE t1.ID_MENSAG NOT = '1144';

is it possible? Note that all the lines are only for one event.

Thanks in advance.

Alex

0 Karma
Reply

sundareshr
Legend
‎06-01-2016 06:34 AM

Assuming the data you want to extract starts with a PROC and ends with ; try this

your base search | rex field=_raw "(?<sql>PROC[\W\S]+);)" | table sql
0 Karma
Reply

gutter
New Member
‎06-01-2016 09:05 AM

Thanks sundareshr, but it doesn't give the ouput I want...

It still shows the timestamp and the other garbage:

2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 26 t1.MISSATGE,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 27 t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 28 t1.PROCES,

but we're close!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...