Hi,
I'm having issues with extracting a field from multi-line events. Two samples are below. I want to grab the value of "Enterprise:". In most events, the Enterprise line is followed by "Object:", but in other events, it is the last line of the event. I am unable to extract the field properly in both scenarios. I tried the IFX, which tested ok, but when I actually ran a search against it, didn't work - it grabs everything after Enterprise, including all the "Object" stuff.
Any ideas? Also, keep in mind that the length of Enterprise will vary.
Trap Type: Authentication Failure
Specific Type: 0
Enterprise: 1.3.6.1.4.1.564.101.1
Trap Type: Vendor Specific
Specific Type: 1085
Enterprise: 1.3.6.1.4.1.3167.1.2.8
Object:1.3.6.1.4.1.3167.1.1.1 Value:3
It really shouldn't matter what line Enterprise is followed by if you write a regex properly.
Try:
[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)
I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.
(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$
It really shouldn't matter what line Enterprise is followed by if you write a regex properly.
Try:
[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)
I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.
(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$
Thanks. Looks like the first one worked - second did not.