Splunk Search

multi-line extract help

a212830
Champion

Hi,

I'm having issues with extracting a field from multi-line events. Two samples are below. I want to grab the value of "Enterprise:". In most events, the Enterprise line is followed by "Object:", but in other events, it is the last line of the event. I am unable to extract the field properly in both scenarios. I tried the IFX, which tested ok, but when I actually ran a search against it, didn't work - it grabs everything after Enterprise, including all the "Object" stuff.

Any ideas? Also, keep in mind that the length of Enterprise will vary.

Trap Type: Authentication Failure
Specific Type: 0
Enterprise: 1.3.6.1.4.1.564.101.1

Trap Type: Vendor Specific
Specific Type: 1085
Enterprise: 1.3.6.1.4.1.3167.1.2.8
Object:1.3.6.1.4.1.3167.1.1.1 Value:3

0 Karma
1 Solution

Lowell
Super Champion

It really shouldn't matter what line Enterprise is followed by if you write a regex properly.

Try:

[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)

I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.


(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$

View solution in original post

Lowell
Super Champion

It really shouldn't matter what line Enterprise is followed by if you write a regex properly.

Try:

[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)

I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.


(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$

a212830
Champion

Thanks. Looks like the first one worked - second did not.

0 Karma
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...