Splunk Search

How to extract string in a field that spans multiple lines?

jedatt01
Builder

I'm trying to extract a string in a field that spans multiple lines. See example below.

03/09/2014 07:10:38 AM - Process(****.****) User(***) Program(*****)
                    Host(*****)
AMQ****: The data received from host '******* (*******)' is not
valid.
EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process *****.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the WMQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available.  If you are unable to find a match, contact your
IBM support center.  Do not discard these files until the problem has been
resolved.
----- amqxfdcx.c : 829 --------------------------------------------------------

The part i'm trying to extract is below:
The data received from host '******* (*******)' is not
valid.

1 Solution

somesoni2
Revered Legend

Try this

your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"

Updated:

your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"

View solution in original post

jedatt01
Builder

I also want to extract a field that will encapsulate the follow as well.

EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process ****.

0 Karma

somesoni2
Revered Legend

Try this

your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"

Updated:

your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"

jedatt01
Builder

works great!

0 Karma

somesoni2
Revered Legend

Try the updated regex.

0 Karma

jedatt01
Builder

Getting closer, only problem is some of my events have an IP address in it so it stops after the first octet (ex. 192.

Is there a way to make it stop before it sees the string EXPLANATION:?

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...