Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split up multiline values

secphilomath1
Explorer
‎03-05-2024 01:19 PM

I am trying to run the following search:

index=tripwire LogCategory="Audit Event" AND "/etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-7" AND "myserver.mydomain.com"
| rex max_match=0 field=_raw "(?<lineData>[^\n]+)"
| rex field=Msg "'(?<FilePath>.*)' accessed by"
| rex field=_raw "accessed\sby\s'(?<Audit_UserName>.*)'.\sType"

| table _time, FilePath, Audit_UserName

However, the way I am splitting the multiline data doesn't appear to be working with this data.

Here is a sample of the data as viewed in Notepad++ with symbols;

secphilomath1_0-1709673410204.png

Every line ends in CR LF 

However, in Splunk it isn't splitting up the events.  What am I missing here?  I have had this work with similar data but unsure what is different in this situation.

TIA!

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎03-05-2024 01:55 PM

I can't quiet tell what is the input data and how Splunk is splitting.

Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event starts with the date at the beginning of the line etc.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

secphilomath1
Explorer
‎03-05-2024 01:40 PM

Not yet no

0 Karma
Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎03-05-2024 01:55 PM

I can't quiet tell what is the input data and how Splunk is splitting.

Do you want separate events for each time you have Feb 13 etc? If so provide a props for your indexers to say that the event starts with the date at the beginning of the line etc.

 

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎03-05-2024 01:39 PM

Hi so how is are the events being split by Splunk? And do you have any props to tell splunk how to split the events?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...