Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex : Keep Left Indention

Sukisen1981
Champion
‎07-14-2018 12:33 AM

Hi,
I have logs like this :
Exception in thread "main" java.lang.RuntimeException: Some other message
at Exceptions.main(Exceptions.java:4)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.lang.RuntimeException: Some message
at Exceptions.main(Exceptions.java:3)
These are my raw events and I am able to extract them using regex, my issue is the left indentation for the first line and "Caused by" is of course, missing when i extract them using regex. Currently my regex return something like this:
Exception in thread "main" java.lang.RuntimeException: Some other message
at Exceptions.main(Exceptions.java:4)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.lang.RuntimeException: Some message
at Exceptions.main(Exceptions.java:3)
Is there a way to preserve the left indentation wherever applicable?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-14-2018 03:00 PM

I cover this in in this Q&A but the problem is that Splunk presents newlines in data as spaces and there is NO way to change this. The work-around is to split the field into a multi-valued field at each newline:

https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-14-2018 01:45 AM

You can use rex in sed mode to remove spaces at the beginning of lines in your field.

| rex field=yourFieldName mode=sed “s/^\s+//g”
0 Karma
Reply

Sukisen1981
Champion
‎07-14-2018 01:50 AM

Hi yes, the sed mode is one option, and I was not clear on stating my initial needs. I meant , can something apply to this extraction in specific only?
I have other raw fields with lines having indentation and I do not want them to retain their original indents. The other set should come without indents. When i apply the sed regex above it applies to all my raw events, and i don't want that

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-14-2018 02:16 AM

Change field=yourFieldName to the field name that you want to apply this to. By default it uses _raw which is all the data.

0 Karma
Reply

Sukisen1981
Champion
‎07-14-2018 02:20 AM

Hi, Thanks a lot. I am a bit under the weather today, but I feel we are pretty near, the issue here is I am trying this on _raw field and I have to as these are raw log entries. So, how can I assign a field name here?
If i assign _raw it of course takes all the events AND I have to apply this to the _raw events.
Just one step away I guess :)?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-14-2018 04:16 AM

I’m confused. Can you share a screenshot of your search and the results?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...