Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to capture multiple lines using rex command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am having difficulties capturing Multiple lines of logs from splunk using rex command.
03:25:17.296: SIPTR: Received [0,UDP] 543 bytes from 10.xx.7x.1xx:8080 <<<<<
REGISTER sip:10.xx.7x.1xx SIP/2.0
Via: SIP/2.0/UDP 10.xx.7x.1xx;branch=hkhi8u09uj
From: "Dummy" ;tag=78979uh
CSeq: 68789 REGISTER
Call-ID: xxxxxx-7689-xxxx@10.xx.7x.1xx
Contact: ;methods="INVITE, ACK, BYE, CANCEL, OPTIONS, UPDATE, REFER"
User-Agent: Polycom_r64786r9879r87
Accept-Language: en
Max-Forwards: 70
Expires: 60
I have to capture lines starting from "REGISTER sip:" till "User-Agent: ", is there any way to capture multiple lines in same rex file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the dotall modifier to tell splunk to match newlines with '.'
... | rex "REGISTER sip:(?s)(?<new_field_name>.*)User-Agent"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sumagarw,
try something like this
REGISTER sip:(?<your_field>(.|\n)+)User-Agent:
test it at https://regex101.com/r/TlOYUg/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the dotall modifier to tell splunk to match newlines with '.'
... | rex "REGISTER sip:(?s)(?<new_field_name>.*)User-Agent"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @jplumsdaine22
Looks like i am able to capture required lines. Can you also help me to capture "10.xx.7x.1xx SIP/2.0" , "Dummy", and "Call-ID: " from captured data in a table format.
Thing is that data keeps on repeating, now i have to capture specified info from captured line and get in table format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you should do is create a field extraction for each field in the data. That will make your job a great deal easier!
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again,! but for time being, is there anyway to build regex for same?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
