Solved: Re: How to handle \n in regex

ppatkar · ‎03-03-2021

In some of the events, I have '\n' in the events :

message: org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallback; uncategorized SQLException for SQL <{call XYZ_API.PROCESS_EVENT(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}>; SQL state <16000>; error code <20011>; ORA-00060: deadlock detected while waiting for resource\nORA-06512: at "ABC_OWNER.XYZ_API", line 5133\nORA-06512: at "ABC_OWNER.XYZ_API", line 2001\nORA-06512: at "ABC_OWNER.XYZ_API", line 6829\nORA-06512: at line 1\n; nested exception is java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource\nORA-06512: at "ABC_OWNER.XYZ_API", line 5133\nORA-06512: at "ABC_OWNER.XYZ_API", line 2001\nORA-06512: at "ABC_OWNER.XYZ_API", line 6829\nORA-06512: at line 1\n'

Although my regex (message:\s(?<METADATA_ERROR>[^\\\n]+)) to extract until the first '\n' appears in the event works :

https://regex101.com/r/XwEg29/1

When I try on Splunk, it extracts only 'org.spri'

Do we need to handle \n differently in Splunk ?

ITWhisperer · ‎03-03-2021

You need a couple more backslashes

(message:\s(?<METADATA_ERROR>[^\\\\\n]+))

View solution in original post

ITWhisperer · ‎03-03-2021

You need a couple more backslashes

(message:\s(?<METADATA_ERROR>[^\\\\\n]+))

How to handle \n in regex

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation