Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple-lines fields extraction from an already extracted field

royimad
Builder
‎08-22-2013 03:44 AM

Hello,

I have a text extracted in a field called MessageBody , the text contains multilines not a single lines and fields are separated by dash "-"
The text format is the following:
Field1 - Field2 - Needed Field3 -
Field4 - Field5
Another Field1 - Another Field2 - Another Needed Field3 -
Another Field4 - Another Field5

I need a regular expression to extract Fields number 3, How can i do that?

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-22-2013 05:15 AM

The following should work as an extract in props.conf; non-space followed by space, dash, space - two times, then grab all non-space as field3

EXTRACT-blah = (?m)^(\S+\s\-\s){2}(?<field3>\S+)

0 Karma
Reply

nekb1958
Path Finder
‎08-22-2013 04:55 AM

Hi

sounds for me similar to my problem to parse the email of my dsl-router with embedded logline entries.
I stored the entries (unique pattern "timestamp followed from 4 spaces") as a multivalue field with a transformation and then splitted it in timestamp-logmessage pairs with

index=mail | mvexpand logevents | table logevents | rex field=logevents "..." | ...

in your case i would try to split the field MessageBody at the end of line characters into a mv-field with makemv

after that "mvexpand MessageBody" maybe with a trailing " | table MessageBody "

and then parse every line (now a single event) with a regex like

rex field=MessageBody "(?[^-]+)-(?[^-]+)-(?[^-]+)-"

maybe that helps you to find your solution?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...