Re: Is there a way to capture the last line/senten...

Cheng2Ready · ‎08-12-2024

There is no Pattern or punctuation so running Regex might not work in this situation since I cant know what kind of Error or pattern will appear in the final line/sentence in the field.
the last sentence can be anything and unpredictable so just wanted to see if there is a way to grab the last line of log that is in the field.

This example most likely wont help but paints a picture that I just want the last line.

index=example
|search "House*"
|table Message

log looks similar like this:

Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example /local/line499
D://example ......a bunch of sensative information
D://example /crab/lin650
D://example ......a bunch of sensative information
D://user/local/line500

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : someone stepped on the wire.

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://user/local/line980 ,indo

Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : Simon said Look

Goal:
D://user/local/line500
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look

I hope this makes sense....

yuanliu · ‎08-13-2024

I don't know how to extract last sentence, but last line is easy.

| eval lastline = mvindex(split(Message, "
"), -1)

Here is a data emulation you can play with and compare with real data

| makeresults
| fields - _*
| eval Message = mvappend("Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example /local/line499
D://example ......a bunch of sensative information
D://example /crab/lin650
D://example ......a bunch of sensative information
D://user/local/line500", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : someone stepped on the wire", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://user/local/line980 ,indo", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : Simon said Look")
| mvexpand Message
``` the above emulates
index=example "House*"
```

Output using this emulation is

Message	lastline
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example /local/line499 D://example ......a bunch of sensative information D://example /crab/lin650 D://example ......a bunch of sensative information D://user/local/line500	D://user/local/line500
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : someone stepped on the wire	Error : someone stepped on the wire
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://user/local/line980 ,indo	D://user/local/line980 ,indo
Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : Simon said Look	Error : Simon said Look

KendallW · ‎08-12-2024

Hi @Cheng2Ready Yes, you just have to split each line of the field as a separate event, then you can use stats last to grab the last line:

index=example "House*" Message=*
| makemv Message 
| mvexpand Message
| stats last(Message) as last_line

Cheng2Ready · ‎08-13-2024

@KendallW Thank you for the response
but it returned only a single word no the whole sentence

('testing',

when I table it it splits it into like this:

Starting logs

recent

logs) :

( most
😧

"/example ......a bunch of sensative information"

Error:

someone stepped on the wire.

Goal is to have it like this:
D:"//user/local/line500"
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look

Is there a way to capture the last line/sentence of the log in a field?

Other

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability