Re: Regex : Keep Left Indention

Sukisen1981 · ‎07-14-2018

Hi,
I have logs like this : Exception in thread "main" java.lang.RuntimeException: Some other message at Exceptions.main(Exceptions.java:4) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147) Caused by: java.lang.RuntimeException: Some message at Exceptions.main(Exceptions.java:3)
These are my raw events and I am able to extract them using regex, my issue is the left indentation for the first line and "Caused by" is of course, missing when i extract them using regex. Currently my regex return something like this:Exception in thread "main" java.lang.RuntimeException: Some other message at Exceptions.main(Exceptions.java:4) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147) Caused by: java.lang.RuntimeException: Some message at Exceptions.main(Exceptions.java:3)
Is there a way to preserve the left indentation wherever applicable?

woodcock · ‎07-14-2018

I cover this in in this Q&A but the problem is that Splunk presents newlines in data as spaces and there is NO way to change this. The work-around is to split the field into a multi-valued field at each newline:

https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html

jkat54 · ‎07-14-2018

You can use rex in sed mode to remove spaces at the beginning of lines in your field.

| rex field=yourFieldName mode=sed “s/^\s+//g”

Sukisen1981 · ‎07-14-2018

Hi yes, the sed mode is one option, and I was not clear on stating my initial needs. I meant , can something apply to this extraction in specific only?
I have other raw fields with lines having indentation and I do not want them to retain their original indents. The other set should come without indents. When i apply the sed regex above it applies to all my raw events, and i don't want that

jkat54 · ‎07-14-2018

Change field=yourFieldName to the field name that you want to apply this to. By default it uses _raw which is all the data.

Sukisen1981 · ‎07-14-2018

Hi, Thanks a lot. I am a bit under the weather today, but I feel we are pretty near, the issue here is I am trying this on _raw field and I have to as these are raw log entries. So, how can I assign a field name here?
If i assign _raw it of course takes all the events AND I have to apply this to the _raw events.
Just one step away I guess :)?

jkat54 · ‎07-14-2018

I’m confused. Can you share a screenshot of your search and the results?

Regex : Keep Left Indention

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation