Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple-lines fields extraction from an already extracted field

royimad
Builder
‎08-22-2013 03:44 AM

Hello,

I have a text extracted in a field called MessageBody , the text contains multilines not a single lines and fields are separated by dash "-"
The text format is the following:
Field1 - Field2 - Needed Field3 -
Field4 - Field5
Another Field1 - Another Field2 - Another Needed Field3 -
Another Field4 - Another Field5

I need a regular expression to extract Fields number 3, How can i do that?

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-22-2013 05:15 AM

The following should work as an extract in props.conf; non-space followed by space, dash, space - two times, then grab all non-space as field3

EXTRACT-blah = (?m)^(\S+\s\-\s){2}(?<field3>\S+)

0 Karma
Reply

nekb1958
Path Finder
‎08-22-2013 04:55 AM

Hi

sounds for me similar to my problem to parse the email of my dsl-router with embedded logline entries.
I stored the entries (unique pattern "timestamp followed from 4 spaces") as a multivalue field with a transformation and then splitted it in timestamp-logmessage pairs with

index=mail | mvexpand logevents | table logevents | rex field=logevents "..." | ...

in your case i would try to split the field MessageBody at the end of line characters into a mv-field with makemv

after that "mvexpand MessageBody" maybe with a trailing " | table MessageBody "

and then parse every line (now a single event) with a regex like

rex field=MessageBody "(?[^-]+)-(?[^-]+)-(?[^-]+)-"

maybe that helps you to find your solution?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...