Solved: Re: Multi Line Event Field Extraction

johndunlea · ‎06-22-2011

I have a SINGLE event in the following format (this is only part of the log):

/root/pegaruninit: Empty file
/root/eicar: Eicar-Test-Signature FOUND
/root/.bash_history: Empty file

This is part of an Antivirus log which is a "dump" of all the locations it scanned, and any viruses or signatures that it found.

What i want to do is create a REGEX and REPORT that extracts the "Eicar-Test_Signature" from the log, and place it in a field called "virus_found".

props.conf:

REPORT-extract_virus_clamav = extract_virus_clamav

transforms.conf:

[extract_virus_clamav]
REGEX = :\s(.+?)\sFOUND
FORMAT = virus_found::$1

Problem is that it is taking the FIRST ":" and taking everything from " Empty file/root/eicar: Eicar-Test-Signature" and placing THIS in the new field.

Is there a way to call a field extraction from ONE line at a time, from a multi line event??
EG: if the REGEX does not match the ":" AND the "FOUND" in one line, it continues to look through other lines??

I hope this makes sense!

Thanks!

southeringtonp · ‎06-22-2011

Don't let your capture group include newlines and you should be ok.

REGEX = :\s([^\r\n]+)\sFOUND

View solution in original post

southeringtonp · ‎06-22-2011

Don't let your capture group include newlines and you should be ok.

REGEX = :\s([^\r\n]+)\sFOUND

johndunlea · ‎06-22-2011

Perfect solution. Thanks!

Multi Line Event Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation