So when I get an error with the message "(Failed)" i want the line to be added to an extracted field as a value.
9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)
Any idea how to do the regular expression for this.
I always do this in search before moving it to a .conf file. I think that you want to select one line of a multiline event. This does that and creates a field labeled aaa:
... | rex field=_raw "(?m)(?P^.* Failed.*$)"
Thank you for the recommendation but this doesn't return anything on my search
Give this a shot
Updated
your base search | rex "([\r\n]*)(?<message>[\S\s]*(?=\(Failed\)))"
Error in 'rex' command: Encountered the following error while compiling the regex '([\r\n])(?[\S\s](?=(Failed))': Regex: missing )
Oops... missed a bracket. Try the updated one.
Sorry for the delay been away. It still returns the the full event not just the line from the multi line event.
i hope you are using this rex in your field extraction on Universal forwarder..
can you please update us your LINE_BREAKER from props.conf..
or may we know your current props.conf and transforms.conf file please.
Use i'm trying to use the rex in the field extraction. I just -need to get the rex to work, I've done quite a few other extractions using this method but this wont i can't get my head around.
Like this
... | rex "(?<msg>.*)\(Failed\)"
Sorry not it doesn't return the right data.
I simply need it so when Splunk reads a multi line event and it find (Failed), it to extract that single line as an extracted value.
Hi,
I'm not 100% what you mean.
See if the following code helps:
| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+\(Failed\)$)"
It will basically extract the code into a new field named error_line if the event contains the string (Failed). Case sensitive in this case.
Alternatively you could simply do the following:
| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| eval error_line = if(match(event, ".+\(Failed\)$"), event, null())
If you don't need the bit that says (Failed):
| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+?)\s+\(Failed\)$"
If multiline event use the following regex instead:
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"
Regards,
J
If multiline event simply do the following instead:
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"
No that has put all lines into 1 event. I only need the line the error is on.
So just the line in bold above
Sorry but this works fine for me with both multiline event and single event with multiple lines so what am I missing here?
See below:
1:
| makeresults | fields - _time
| eval event = "
1.sdfiosdfjgiojsdf;
2.dfosdogijsdfiojsdfg (Failed);
3.oisdjfgo[idjsfgoiiojsdfg"
| eval event = split(event, ";")
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"
2:
| makeresults | fields - _time
| eval event = "
1.sdfiosdfjgiojsdf
2.dfosdogijsdfiojsdfg (Failed)
3.oisdjfgo[idjsfgoiiojsdfg"
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"
Output (see pictures below):
Ah i see what you've got that but that's not what i'm after.
So where the "event" has 3 lines i ONLY want line 2.
Try this.
(?<field>.*(?=\(Failed\)))
I'm using this in field extractor. It appears to select the full event not just the line.
Thanks for your effort.
Please explain what you mean by "line". If you can, please share a full "event" with the "line" you wish to extract.
It's a multi line event so from our logs so it would be like this.
Extracted value = " 2. dfosdogijsdfiojsdfg (Failed)"
Try this.
(?<field>\n.*(?=\(Failed\)))