Solved: Trouble with REX command on a multi-line event

like2splunk · ‎04-17-2017

Hello,
I'm running a streamstats command that prints out a series of previously-searched events. There are often more than one "ERROR" events within each group. As such, I want to rex the entire ERROR message (composed of multiple lines). Below is an example ERROR event (in BOLD).

2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01) SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)

As you can see, there are multiple lines for a single timestamp. I want to rex everything after the "ScanningController failure:" string. So the result would simply look like this:

NECU Transitioned to Error State NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01) SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)

How do I do this? I tried the following but it does not work: | rex "Transitioned to Error State: .?(?<_error_msg>.?)$"

It would also be nice to extract that timestamp as well and place it in a variable if someone can help me do so!

Thank you in advance!

Ravan · ‎04-17-2017

Can you try

rex "^(?P<time>[^\,]*)\,.*ScanningController failure\:\s(?<error_msg>.*)$"

View solution in original post

alemarzu · ‎04-18-2017

Hey there,

This should grab all the errors per event into one single field. | rex "Transitioned\sto\sError\sState\s+(?<ALL_ERROR_LINES>[\n\r\s\S\d]+)"
If you want to extract those errors individually. | rex max_match=10 "^(?<AA>[A-Z]+\sError:\s[^\n]+)"
Or something more granular like field=value (ie: error_type=NECU msg="[0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83"), something like this should work.

props.conf

[your_sourcetype]
REPORT-multi_errors = multi_error_values

transforms.conf

[multi_error_values]
REGEX = ^(?<_KEY_1>[A-Z]+\sError):\s(?<_VAL_1>[^\n]+)
REPEAT_MATCH = true
CLEAN_KEYS = 1

Hope it helps.

Ravan · ‎04-17-2017

Can you try

rex "^(?P<time>[^\,]*)\,.*ScanningController failure\:\s(?<error_msg>.*)$"

like2splunk · ‎04-17-2017

All I get from your rex is the following:

"NECU Transitioned to Error State" (this corresponds to the first line only. I need the remaining four lines as well. How do I grab those?

FYI, the logfile looks like this:

2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State

NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83

FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83

RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01)

SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)

richgalloway · ‎04-17-2017

Try this regex string

ScanningController failure:\s(?<error_msg>.*)

The timestamp is already in a field called _time.

BTW, you shouldn't start your field names with an underscore. Such fields names are reserved by Splunk.

---
If this reply helps you, Karma would be appreciated.

like2splunk · ‎04-17-2017

All I get from your rex is the following:

"NECU Transitioned to Error State" (this corresponds to the first line only. I need the remaining four lines as well. How do I grab those?

FYI, the logfile looks like this:

2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State

NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83

FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83

RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01)

SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)

richgalloway · ‎04-18-2017

Try adding the single line flag:

(?s)ScanningController failure:\s(?<error_msg>.*)

---
If this reply helps you, Karma would be appreciated.

Trouble with REX command on a multi-line event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation