Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract string in a field that spans multiple lines?

jedatt01
Builder
‎07-30-2014 06:58 AM

I'm trying to extract a string in a field that spans multiple lines. See example below.

03/09/2014 07:10:38 AM - Process(****.****) User(***) Program(*****)
                    Host(*****)
AMQ****: The data received from host '******* (*******)' is not
valid.
EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process *****.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the WMQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available.  If you are unable to find a match, contact your
IBM support center.  Do not discard these files until the problem has been
resolved.
----- amqxfdcx.c : 829 --------------------------------------------------------

The part i'm trying to extract is below:
The data received from host '******* (*******)' is not
valid.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-30-2014 07:09 AM

Try this

your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"

Updated:

your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"

View solution in original post

Reply
Solved! Jump to solution

jedatt01
Builder
‎07-30-2014 07:11 AM

I also want to extract a field that will encapsulate the follow as well.

EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process ****.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-30-2014 07:09 AM

Try this

your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"

Updated:

your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"
Reply
Solved! Jump to solution

jedatt01
Builder
‎07-30-2014 10:48 AM

works great!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-30-2014 08:48 AM

Try the updated regex.

0 Karma
Reply
Solved! Jump to solution

jedatt01
Builder
‎07-30-2014 07:58 AM

Getting closer, only problem is some of my events have an IP address in it so it stops after the first octet (ex. 192.

Is there a way to make it stop before it sees the string EXPLANATION:?

0 Karma
Reply
Get Updates on the Splunk Community!

hadoop vs splunk

hiIn big data can we replace hadoop by splunk ? and why?do splunk do&nbsp; all hadoop fonctionality

Apply a condition depends on a field or token

Hi teamI need to apply a different condition in one panel of my dashboard depending on a selected column in ...

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...