Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract string in a field that spans multip...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
jedatt01
Builder
07-30-2014
06:58 AM
I'm trying to extract a string in a field that spans multiple lines. See example below.
03/09/2014 07:10:38 AM - Process(****.****) User(***) Program(*****)
Host(*****)
AMQ****: The data received from host '******* (*******)' is not
valid.
EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process *****.
ACTION:
Use the standard facilities supplied with your system to record the problem
identifier and to save any generated output files. Use either the WMQ Support
site: http://www.ibm.com/software/integration/wmq/support/, or IBM Support
Assistant (ISA): http://www.ibm.com/software/support/isa/, to see whether a
solution is already available. If you are unable to find a match, contact your
IBM support center. Do not discard these files until the problem has been
resolved.
----- amqxfdcx.c : 829 --------------------------------------------------------
The part i'm trying to extract is below:
The data received from host '******* (*******)' is not
valid.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
somesoni2
Revered Legend
07-30-2014
07:09 AM
Try this
your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"
Updated:
your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
jedatt01
Builder
07-30-2014
07:11 AM
I also want to extract a field that will encapsulate the follow as well.
EXPLANATION:
An error has been detected, and the WebSphere MQ error recording routine has
been called. The failing process is process ****.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
somesoni2
Revered Legend
07-30-2014
07:09 AM
Try this
your base search | rex "(?m).*?: (?P<1ErrorMessage>[^\.]*)"
Updated:
your base search |rex "(?m).*?: (?P<ErrorMessage>(.*[\r\n]+)*)EXPLANATION:([\r\n]+)(?P<Explanation>(.*[\r\n]+)*)ACTION:"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
jedatt01
Builder
07-30-2014
10:48 AM
works great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
somesoni2
Revered Legend
07-30-2014
08:48 AM
Try the updated regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
jedatt01
Builder
07-30-2014
07:58 AM
Getting closer, only problem is some of my events have an IP address in it so it stops after the first octet (ex. 192.
Is there a way to make it stop before it sees the string EXPLANATION:?
Take the 2021 Splunk Career Survey
Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.
Earn $50 in Amazon cash!
Full Details! >
