- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multi line field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm having problem with a multi-line field extraction which I have been struggling to figure out. Im wondering if I could get some help with this. Essentially I'm trying to extract everything from the ">>>" through to "ERR" (non-inclusive) for the field, the field can range to multiple lines anything from 1 up to 25. I'd be very grateful if someone could help me out here, or even point me in the right direction.
/>>>
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
ERR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the regex modifier s so that dots match newlines, and possibly also the m modifier so that carets and dollars math before and after newlines (though I don't use m in the example below because it doesn't make use of carets and dollars).
... | rex "(?s)/>>>(?<myfield>.+?)ERR"
More information on regex modifiers: http://www.regular-expressions.info/modifiers.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the regex modifier s so that dots match newlines, and possibly also the m modifier so that carets and dollars math before and after newlines (though I don't use m in the example below because it doesn't make use of carets and dollars).
... | rex "(?s)/>>>(?<myfield>.+?)ERR"
More information on regex modifiers: http://www.regular-expressions.info/modifiers.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excuse the delay in getting back to you in a timely fashion, that works perfectly. I knew I had to use either Multi-line or Single line options but I couldn't get the syntax quite right. Thanks for your help.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
