Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multi line field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm having problem with a multi-line field extraction which I have been struggling to figure out. Im wondering if I could get some help with this. Essentially I'm trying to extract everything from the ">>>" through to "ERR" (non-inclusive) for the field, the field can range to multiple lines anything from 1 up to 25. I'd be very grateful if someone could help me out here, or even point me in the right direction.
/>>>
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
1 25MAY10 test1 test2 00.00 00000.00
ERR
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the regex modifier s so that dots match newlines, and possibly also the m modifier so that carets and dollars math before and after newlines (though I don't use m in the example below because it doesn't make use of carets and dollars).
... | rex "(?s)/>>>(?<myfield>.+?)ERR"
More information on regex modifiers: http://www.regular-expressions.info/modifiers.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use the regex modifier s so that dots match newlines, and possibly also the m modifier so that carets and dollars math before and after newlines (though I don't use m in the example below because it doesn't make use of carets and dollars).
... | rex "(?s)/>>>(?<myfield>.+?)ERR"
More information on regex modifiers: http://www.regular-expressions.info/modifiers.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excuse the delay in getting back to you in a timely fashion, that works perfectly. I knew I had to use either Multi-line or Single line options but I couldn't get the syntax quite right. Thanks for your help.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights
Event Series: Telemetry Pipeline Management
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
