Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I extract these lines from my sample multiline event without patterns into a single field?

gutter
New Member
‎06-01-2016 06:21 AM

Hi,

I'm trying to extract some lines from a multiline event, for example:

2016-05-17T19:40:37,022 INFO  [00000033] :sassrv - 16         PROC SQL;
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 17            CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 18            SELECT t1.DT_FECHAPRO,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 19                   t1.I1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 20                   t1.'I1 SENTIT INFORMACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 21                   t1.I2,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 22                   t1.'I2 NATURALESA OPERACIONS'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 23                   t1.I3,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 24                   t1.'I3 TIPUS COMPENSACIO'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 25                   t1.ID_MENSAG,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 26                   t1.MISSATGE,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 27                   t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 28                   t1.PROCES,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 29                   t1.Operacions,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 30                   t1.IMPORT,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 31                   t1.QUOTA1,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 32                   /* quota% */
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 33                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
2016-05-17T19:40:37,023 INFO  [00000033] :sassrv - 34                   t1.ID_TIPCUOT1,
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 35                   t1.descripcio LABEL="DESCRIPCIO"
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 36               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
2016-05-17T19:40:37,024 INFO  [00000033] :sassrv - 37               WHERE t1.ID_MENSAG NOT = '1144';
2016-05-17T19:40:37,024 TRACE [00000004] :sassrv - Libref=WORK Engine=V9 Member=QUERY_FOR_TDWH051_QUOTES_TA_0001 MemberType=DATA Openmode=INPUT Path=/SAS/tmp/SAS_work23F0005F0068_sasprod2/SAS_work8755005F0068_sasprod2

And I want to extract in a single field the following information:

PROC SQL;
    CREATE TABLE WORK.QUERY_FOR_TDWH051_QUOTES_TA AS
            SELECT t1.DT_FECHAPRO,
                   t1.I1,
                   t1.'I1 SENTIT INFORMACIO'n,
                   t1.I2,
                   t1.'I2 NATURALESA OPERACIONS'n,
                   t1.I3,
                   t1.'I3 TIPUS COMPENSACIO'n,
                   t1.ID_MENSAG,
                   t1.MISSATGE,
                   t1.'Codi proces'n,
                   t1.PROCES,
                   t1.Operacions,
                   t1.IMPORT,
                   t1.QUOTA1,
                   /* quota% */
                     (round(round((t1.QUOTA1 * 100), 0.01) / round(t1.IMPORT,0.01), 0.01)) FORMAT=8.2 LABEL="quota%" AS 'quota%'n,
                   t1.ID_TIPCUOT1,
                   t1.descripcio LABEL="DESCRIPCIO"
               FROM WORK.QUERY_FOR_TDWH051_QUOTES_TA_0001 t1
               WHERE t1.ID_MENSAG NOT = '1144';

is it possible? Note that all the lines are only for one event.

Thanks in advance.

Alex

0 Karma
Reply

sundareshr
Legend
‎06-01-2016 06:34 AM

Assuming the data you want to extract starts with a PROC and ends with ; try this

your base search | rex field=_raw "(?<sql>PROC[\W\S]+);)" | table sql
0 Karma
Reply

gutter
New Member
‎06-01-2016 09:05 AM

Thanks sundareshr, but it doesn't give the ouput I want...

It still shows the timestamp and the other garbage:

2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 26 t1.MISSATGE,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 27 t1.'Codi proces'n,
2016-05-17T19:40:37,023 INFO [00000033] :sassrv - 28 t1.PROCES,

but we're close!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...