Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split event lines into multiple fields using regex?

vamseepotluri
New Member
‎03-29-2016 12:25 PM

HI,

I am trying to write a regex to split these event lines into multiple fields.
Can some one please help me how to achieve this for these events mentioned below?

Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceDmgrNode on   - Deployment manager
Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceNode01 on  
Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceNode02 on 

Tue Mar 29 15:20:16 EDT 2016    DEPLOYMENT_MANAGER dmgr            RUNNING
Tue Mar 29 15:20:16 EDT 2016    APPLICATION_SERVER MDMServiceAppServer01 RUNNING
Tue Mar 29 15:20:16 EDT 2016    NODE_AGENT         nodeagent       RUNNING
Tue Mar 29 15:20:16 EDT 2016    APPLICATION_SERVER MDMServiceAppServer02 RUNNING
Tue Mar 29 15:20:16 EDT 2016    NODE_AGENT         nodeagent       RUNNING
Tue Mar 29 15:20:16 EDT 2016    WEB_SERVER         MDMServiceHTTPServer01 RUNNING
Tue Mar 29 15:20:16 EDT 2016    WEB_SERVER         MDMServiceHTTPServer02 RUNNING

Thanks, Much Appreciated.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2016 03:47 PM

What is the intended purpose of the first rex command?
The second rex command doesn't extract any fields. Try this

... | rex field=line "(?<Eventtime>\w+\s\w+\s\d+\s\d+:\d+:\d+\s\w+\s\d+)\s+(?<ServerType>[\w_]+)\s+(?<ServerName>\w+)\s+(?<Status>\w+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎03-29-2016 03:45 PM

Based on your sample search, you've multiline event. I would suggest to configure line breaking to split those multiple events as separate events as I can see they all have timestamp and good candidates for line breaking. It will also reduce load on indexers.

Meanwhile, Try this (check the line 1 and update according your current search)

index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?<line>\V+)$" max_match=10000 | table line | mvexpand line
  | rex field=line "^(?<Eventtime>(\S+\s+){6})(?<ServerType>\S+)\s+(?<ServerName>\S+)\s+(?<Status>\S+)"

If above doesn't work try this as well

index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?<line>\V+)$" max_match=10000 | table line | mvexpand line | rex mode=sed field=line "s/^\s+(.+)/\1/"   | rex field=line "^(?<Eventtime>(\S+\s+){6})(?<ServerType>\S+)\s+(?<ServerName>\S+)\s+(?<Status>\S+)"
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2016 03:54 PM

Agree that multiline events are your enemy, especially when every line has a valid timestamp.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2016 12:57 PM

What are the fields?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vamseepotluri
New Member
‎03-29-2016 01:51 PM

Fields should be something like this.

Eventtime ServerType ServerName Status
Tue Mar 29 15:20:16 EDT 2016 DEPLOYMENT_MANAGER dmgr RUNNING

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2016 01:55 PM

You want to post what have you been trying, and explain what particular expectation is not met by your method.

0 Karma
Reply

vamseepotluri
New Member
‎03-29-2016 02:00 PM 
index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?\V+)$" max_match=10000 | table line | mvexpand line | rex field=line "^(?%w\s%b\s%d\s%H:%M:%S\s%Z\s%Y\d+)\s+(?[a-zA-Z]\d+)\s+(?[a-z0-9#]\d+)\s+(?[a-zA-Z]\d+)$" | table eventtime, SERVERTYPE, SERVERNAME, STATUS
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...