Re: RegEx - When find a match get full line.

arrowecssupport · ‎08-11-2016

So when I get an error with the message "(Failed)" i want the line to be added to an extracted field as a value.

9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)

Any idea how to do the regular expression for this.

jdonn_splunk · ‎08-26-2016

I always do this in search before moving it to a .conf file. I think that you want to select one line of a multiline event. This does that and creates a field labeled aaa:

... | rex field=_raw "(?m)(?P^.* Failed.*$)"

arrowecssupport · ‎09-01-2016

Thank you for the recommendation but this doesn't return anything on my search

somesoni2 · ‎08-11-2016

Give this a shot
Updated

your base search | rex "([\r\n]*)(?<message>[\S\s]*(?=\(Failed\)))"

arrowecssupport · ‎08-11-2016

Error in 'rex' command: Encountered the following error while compiling the regex '([\r\n])(?[\S\s](?=(Failed))': Regex: missing )

somesoni2 · ‎08-11-2016

Oops... missed a bracket. Try the updated one.

arrowecssupport · ‎08-26-2016

Sorry for the delay been away. It still returns the the full event not just the line from the multi line event.

inventsekar · ‎08-26-2016

i hope you are using this rex in your field extraction on Universal forwarder..
can you please update us your LINE_BREAKER from props.conf..
or may we know your current props.conf and transforms.conf file please.

arrowecssupport · ‎09-01-2016

Use i'm trying to use the rex in the field extraction. I just -need to get the rex to work, I've done quite a few other extractions using this method but this wont i can't get my head around.

sundareshr · ‎08-11-2016

Like this

... | rex "(?<msg>.*)\(Failed\)"

arrowecssupport · ‎09-01-2016

Sorry not it doesn't return the right data.

I simply need it so when Splunk reads a multi line event and it find (Failed), it to extract that single line as an extracted value.

javiergn · ‎08-11-2016

Hi,

I'm not 100% what you mean.
See if the following code helps:

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+\(Failed\)$)"

It will basically extract the code into a new field named error_line if the event contains the string (Failed). Case sensitive in this case.

Alternatively you could simply do the following:

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| eval error_line = if(match(event, ".+\(Failed\)$"), event, null())

If you don't need the bit that says (Failed):

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+?)\s+\(Failed\)$"

If multiline event use the following regex instead:

| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"

Regards,
J

javiergn · ‎08-11-2016

If multiline event simply do the following instead:

| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"

arrowecssupport · ‎08-11-2016

No that has put all lines into 1 event. I only need the line the error is on.

afiojsdfiohsdfsdjsdfgiojsdfgoijsdfg 2. ohsdfouhsdfguohsdfg (Failed)
osdfhgiosdhfgohisdfgiohjasdfgi

So just the line in bold above

javiergn · ‎08-11-2016

Sorry but this works fine for me with both multiline event and single event with multiple lines so what am I missing here?
See below:

1:

| makeresults | fields - _time
| eval event = "
1.sdfiosdfjgiojsdf;
2.dfosdogijsdfiojsdfg (Failed);
3.oisdjfgo[idjsfgoiiojsdfg"
| eval event = split(event, ";")
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"

2:

| makeresults | fields - _time
| eval event = "
1.sdfiosdfjgiojsdf
2.dfosdogijsdfiojsdfg (Failed)
3.oisdjfgo[idjsfgoiiojsdfg"
| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"

Output (see pictures below):

arrowecssupport · ‎09-01-2016

Ah i see what you've got that but that's not what i'm after.
So where the "event" has 3 lines i ONLY want line 2.

richgalloway · ‎08-11-2016

Try this.

(?<field>.*(?=\(Failed\)))

---
If this reply helps you, Karma would be appreciated.

arrowecssupport · ‎08-11-2016

I'm using this in field extractor. It appears to select the full event not just the line.
Thanks for your effort.

richgalloway · ‎08-11-2016

Please explain what you mean by "line". If you can, please share a full "event" with the "line" you wish to extract.

---
If this reply helps you, Karma would be appreciated.

arrowecssupport · ‎08-11-2016

It's a multi line event so from our logs so it would be like this.

sdfiosdfjgiojsdf
dfosdogijsdfiojsdfg (Failed)
oisdjfgo[idjsfgoiiojsdfg

Extracted value = " 2. dfosdogijsdfiojsdfg (Failed)"

richgalloway · ‎08-11-2016

Try this.

(?<field>\n.*(?=\(Failed\)))

---
If this reply helps you, Karma would be appreciated.

RegEx - When find a match get full line.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!