Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a multi-line field extraction

dowdag
Engager
‎06-07-2019 08:59 AM

I am using splunk free -- and have data in format of:

2019-06-06 11:10:10,029 "somedata" # - Start of event
TransId=(?\d+) # - I want to capture this value
- Logging More data on next line
PaymendId=(?\d+) #I want to capture this value -- End of event
2019-06-06 11:10:10,129 "somedata" - then next event with different logging info.

What needs to be set in the source type for this to work?

I was not able to create multi-line field exaction, I did use (?ms) but had no success.
Thanks for any help or suggestions.

0 Karma
Reply

martynoconnor
Communicator
‎06-07-2019 11:45 AM

If you are happy that the event format is very consistent and doesn't change much there's nothing to stop you using [\r\n] as an option in your sourcetype EXTRACT-blah=

That would only work, however, if Splunk recognises your events are multiline (i.e. you have already included event breaking statements in props.conf and have use SHOULD_LINEMERGE=true.

This works:

TransId=(?\d+)\s.+[\r\n]+.+[\r\n]PaymentId=(?\d+)\s

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...