Splunk Search

How to correct my regex to extract text from two or more lines?

Bhuavana
Explorer

Hi,

Please let me know the regex to extract text from 2 or 3 more lines.

For below log text :

ClientIp=065162175003 : - Exception while getting fileApolloWhitelistedCredentials.properties ResourceHandler:getConfirationProperties() 
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory)
 at 

I have used the below regex but it extracts text [from-- Exception while getting] and [till-- getConfirationProperties()] but text at next line[java.io.FileNotFoundException --> is not appended] to the field exception_msg.

| rex field=_raw "ClientIp=d{12} :  -(?(.*)+[\n at]\n)"

Kindly let me know the correct regex to extract text starting from [Exception..... ]till [(No such file or directory)]

Tags (2)
0 Karma

Venkat_16
Contributor

hi Bhuavana,

   ClientIp=\d{12}\s\:\s\-\s(?P<msg>(.|\r)+?)\(No\ssuch\sfile\sor\sdirectory\)

       please try this...

Thanks,
Venkat

MuS
Legend

Hi Bhuavana,

try something like this:

your base search here | rex field=_raw "ClientIp=\d{12}\s\:\s\-\s(?<myMsg>(?s).*)\(No\ssuch\sfile\sor\sdirectory\)" | table myMsg

cheers, MuS

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...