Re: How to split event lines into multiple fields ...

vamseepotluri · ‎03-29-2016

HI,

I am trying to write a regex to split these event lines into multiple fields.
Can some one please help me how to achieve this for these events mentioned below?

Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceDmgrNode on   - Deployment manager
Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceNode01 on  
Tue Mar 29 15:20:16 EDT 2016 NODE MDMServiceNode02 on 

Tue Mar 29 15:20:16 EDT 2016    DEPLOYMENT_MANAGER dmgr            RUNNING
Tue Mar 29 15:20:16 EDT 2016    APPLICATION_SERVER MDMServiceAppServer01 RUNNING
Tue Mar 29 15:20:16 EDT 2016    NODE_AGENT         nodeagent       RUNNING
Tue Mar 29 15:20:16 EDT 2016    APPLICATION_SERVER MDMServiceAppServer02 RUNNING
Tue Mar 29 15:20:16 EDT 2016    NODE_AGENT         nodeagent       RUNNING
Tue Mar 29 15:20:16 EDT 2016    WEB_SERVER         MDMServiceHTTPServer01 RUNNING
Tue Mar 29 15:20:16 EDT 2016    WEB_SERVER         MDMServiceHTTPServer02 RUNNING

Thanks, Much Appreciated.

richgalloway · ‎03-29-2016

What is the intended purpose of the first rex command?
The second rex command doesn't extract any fields. Try this

... | rex field=line "(?<Eventtime>\w+\s\w+\s\d+\s\d+:\d+:\d+\s\w+\s\d+)\s+(?<ServerType>[\w_]+)\s+(?<ServerName>\w+)\s+(?<Status>\w+)" | ...

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎03-29-2016

Based on your sample search, you've multiline event. I would suggest to configure line breaking to split those multiple events as separate events as I can see they all have timestamp and good candidates for line breaking. It will also reduce load on indexers.

Meanwhile, Try this (check the line 1 and update according your current search)

index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?<line>\V+)$" max_match=10000 | table line | mvexpand line
  | rex field=line "^(?<Eventtime>(\S+\s+){6})(?<ServerType>\S+)\s+(?<ServerName>\S+)\s+(?<Status>\S+)"

If above doesn't work try this as well

index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?<line>\V+)$" max_match=10000 | table line | mvexpand line | rex mode=sed field=line "s/^\s+(.+)/\1/"   | rex field=line "^(?<Eventtime>(\S+\s+){6})(?<ServerType>\S+)\s+(?<ServerName>\S+)\s+(?<Status>\S+)"

yuanliu · ‎03-29-2016

Agree that multiline events are your enemy, especially when every line has a valid timestamp.

richgalloway · ‎03-29-2016

What are the fields?

---
If this reply helps you, Karma would be appreciated.

vamseepotluri · ‎03-29-2016

Fields should be something like this.

Eventtime ServerType ServerName Status
Tue Mar 29 15:20:16 EDT 2016 DEPLOYMENT_MANAGER dmgr RUNNING

yuanliu · ‎03-29-2016

You want to post what have you been trying, and explain what particular expectation is not met by your method.

vamseepotluri · ‎03-29-2016

index="myindex" sourcetype="mysourcetype" | rex "(?m)^(?\V+)$" max_match=10000 | table line | mvexpand line | rex field=line "^(?%w\s%b\s%d\s%H:%M:%S\s%Z\s%Y\d+)\s+(?[a-zA-Z]\d+)\s+(?[a-z0-9#]\d+)\s+(?[a-zA-Z]\d+)$" | table eventtime, SERVERTYPE, SERVERNAME, STATUS

How to split event lines into multiple fields using regex?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation