Splunk Search

multi-line extract help

a212830
Champion

Hi,

I'm having issues with extracting a field from multi-line events. Two samples are below. I want to grab the value of "Enterprise:". In most events, the Enterprise line is followed by "Object:", but in other events, it is the last line of the event. I am unable to extract the field properly in both scenarios. I tried the IFX, which tested ok, but when I actually ran a search against it, didn't work - it grabs everything after Enterprise, including all the "Object" stuff.

Any ideas? Also, keep in mind that the length of Enterprise will vary.

Trap Type: Authentication Failure
Specific Type: 0
Enterprise: 1.3.6.1.4.1.564.101.1

Trap Type: Vendor Specific
Specific Type: 1085
Enterprise: 1.3.6.1.4.1.3167.1.2.8
Object:1.3.6.1.4.1.3167.1.1.1 Value:3

0 Karma
1 Solution

Lowell
Super Champion

It really shouldn't matter what line Enterprise is followed by if you write a regex properly.

Try:

[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)

I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.


(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$

View solution in original post

Lowell
Super Champion

It really shouldn't matter what line Enterprise is followed by if you write a regex properly.

Try:

[\r\n]\s*Enterprise:\s*(?P<enterprise>[^\r\n]*)(?:[\r\n]|$)

I just tested the regex with a regex tool, not splunk; so if for whatever reason the above doesn't work, try this this one instead. This option enabled the regex "multiline" mode.


(?m)^\s*Enterprise:\s*(?P<enterprise>.*)$

a212830
Champion

Thanks. Looks like the first one worked - second did not.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...