Hi
I have some logs in the format below (multiple lines in each log). Note that there are spaces on the start of each line.
SPACES amount:
SPACES purchAmount: 6300
SPACES currency: 978
I am using the following regex to extract a field (I would replicate this for other fields):
(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$
It doesn't seem to work. Could anyone help with this?
Many thanks!
Hi Zac,
go through the below link,
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
Hope it will help your concerns as it automatically creates the field extraction as per your requirement.
Hi
I have used the regex extractor on many other logs. However, when I try to use it on this multiline log, I get the following error:
'The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.'
Thanks
You should be able to extract your fields with
amount:\s(?<amount>.*)
for amount,
purchAmount: (?<purchAmount>.*)
for purchAmount and so forth. Try your regexes online, for example at regex101 - it helps a lot!
You have a named group without a name. This string works for me:
(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$
I think your regex is corrupted. When you post regexes, always use the code
function (or indent by four spaces per hand).
The regex was supposed to be as follows:
(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$
Apologies for that!