@smolcj

Even if this is one single event and not being broken apart you should still be able to extract the idletime as a field.

Thread\sEvent\d.*[\r\n]\s+Idletime\:(?<##myIdleTime>\d+\.\d{2})

(Please remove the hashes from the line above, the formatting on answers doesn't like angle brackets.)

Splunk will look over multiple lines by default so you don't really have to set the (?m) flag.

Based on your comments you are actually looking to extract multiple fields from the multiline event you provided. With that in mind, I have taken the event log snippet and highlighted everything that based on your original question and your comments are what you wish to extract as fields:

Thread Event1 blablabla [something]....completed.

      idletime:45.56

Thread Event2 blablabla [something]....completed.no ststistics

Thread Event3 blablabla [something]....completed.no ststistics

Thread Event4 blablabla [something]....completed.no ststistics

Thread Event5 blablabla [something]....completed.

      idletime:45.56

The previous regex already extracts the idletime for you across multiple lines. Based on your regex in the comments;

(?i)Threads(?P<fieldname1>[^s]+)sblablablas[(?P<fieldname2>[^]]+)]...completed.nosstatistics

you would also like to extract another 2 fields. I am not sure if there were any typo's when you included that in your comments and the formatting rules made it a bit odd, but here is a corrected regex to match what you posted:

Thread\s(?<##fieldname1>[^\s]+).*?\[(?<##fieldname2>[^\]]+)\]\.{4}completed.no\sststistics

Lastly if you want to change that last regex to get the event number and "something" then you may want to change the above regex to:

Thread\s(?<##fieldname1>[^\s]+).*?\[(?<##fieldname2>[^\]]+)\]