Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way to capture the last line/sentence o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to capture the last line/sentence of the log in a field?
There is no Pattern or punctuation so running Regex might not work in this situation since I cant know what kind of Error or pattern will appear in the final line/sentence in the field.
the last sentence can be anything and unpredictable so just wanted to see if there is a way to grab the last line of log that is in the field.
This example most likely wont help but paints a picture that I just want the last line.
index=example
|search "House*"
|table Message
log looks similar like this:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example /local/line499
D://example ......a bunch of sensative information
D://example /crab/lin650
D://example ......a bunch of sensative information
D://user/local/line500
Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : someone stepped on the wire.
Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://user/local/line980 ,indo
Next example:
Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : Simon said Look
Goal:
D://user/local/line500
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look
I hope this makes sense....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know how to extract last sentence, but last line is easy.
| eval lastline = mvindex(split(Message, "
"), -1)
Here is a data emulation you can play with and compare with real data
| makeresults
| fields - _*
| eval Message = mvappend("Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example /local/line499
D://example ......a bunch of sensative information
D://example /crab/lin650
D://example ......a bunch of sensative information
D://user/local/line500", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : someone stepped on the wire", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://user/local/line980 ,indo", "Starting logs( most recent logs) :
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
D://example ......a bunch of sensative information
Error : Simon said Look")
| mvexpand Message
``` the above emulates
index=example "House*"
```
Output using this emulation is
| Message | lastline |
| Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example /local/line499 D://example ......a bunch of sensative information D://example /crab/lin650 D://example ......a bunch of sensative information D://user/local/line500 | D://user/local/line500 |
| Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : someone stepped on the wire | Error : someone stepped on the wire |
| Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://user/local/line980 ,indo | D://user/local/line980 ,indo |
| Starting logs( most recent logs) : D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information D://example ......a bunch of sensative information Error : Simon said Look | Error : Simon said Look |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Cheng2Ready Yes, you just have to split each line of the field as a separate event, then you can use stats last to grab the last line:
index=example "House*" Message=*
| makemv Message
| mvexpand Message
| stats last(Message) as last_line - Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@KendallW Thank you for the response
but it returned only a single word no the whole sentence
('testing',
when I table it it splits it into like this:
Starting logs
recent
logs) :
( most
😧
"/example ......a bunch of sensative information"
Error:
someone stepped on the wire.
Goal is to have it like this:
D:"//user/local/line500"
Error : someone stepped on the wire.
D://user/local/line980 ,indo
Error : Simon said Look
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
