Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multiline extraction issue

rraje_rgandhi
New Member
‎01-09-2018 03:03 AM

I'm having problem with a multi-line field extraction which I have been struggling to figure out.

2017-05-19T12:48:10,337|[http-nio-9094-exec-8]|INFO|VM!|com.alb.bps.common.validation.ImagingCommonValidator|436CCDF8BD1E405E131392C31DA79857|674e1625-750f-4311-a29d-787b1a92b4c8|user2|Normal|IBD2|Validator Request:DocumentVO [busFuncCd=16, busFuncDocType=CKS],imageVO=null]|documentId=>678910|endorsedVersion=>false|nativeFormat=>false|formatType=>JPEG|advisorView=>false|advisorId=>null|

2017-05-19T13:22:26,236|[http-nio-9094-exec-4]|INFO|VM@|com.alb.bps.common.validation.ImagingCommonValidator|EC801FC17F8362A0EF4DE84CC22BDAC7|74589db8-7d0c-41d7-b5a2-d3250631b0eb|null%40null|user1|Normal|IBD1|Validator Request:DocumentVO [busFuncCd=null,busFuncDocType=null,imageVO=null]|documentId=>12345|endorsedVersion=>true|nativeFormat=>true|formatType=>null|advisorView=>false|advisorId=>null|

Can you please help me ... 

^(?P[^\|]+)\|\[.*\]\|\w+\|(?P\w+)((.*\.\d+\|)|(.*\-\w+\|)|(.*\%\w+\|))(?P[^\|]+)
0 Karma
Reply

mayurr98
Super Champion
‎01-10-2018 12:44 AM

hey @rraje_rgandhi

I got the workaround for your query!
Try this!

^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>[^|]+)\|.*((null%40null\|)|(\-\w+\|))(?P<USERID>[^\|]+)

OR

^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>[^|]+)\|.*\-\w+\|((null%40null\|)|)(?P<USERID>[^\|]+)

https://regex101.com/r/s4yM1f/1
https://regex101.com/r/voZkXP/1

I think this should work.
Let me know if this helps !

0 Karma
Reply

horsefez
Motivator
‎01-09-2018 06:12 AM

Please stop crossposting the same questions by using multiple accounts!

I answered this on here:
https://answers.splunk.com/answers/609629/how-to-extract-the-files-each-line-has-different-f.html

0 Karma
Reply

rraje_rgandhi
New Member
‎01-09-2018 03:06 AM 
^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>\w+)((.*\.\d+\|)|(.*\-\w+\|)|(.*\%\w+\|))(?P<USERID>[^\|]+)
0 Karma
Reply

mayurr98
Super Champion
‎01-09-2018 07:18 AM

hey from your regex i think you need to extract only Date VM and USERID right?

so can you tell me what is the VM and USERID in your sample event?

0 Karma
Reply

rraje_rgandhi
New Member
‎01-09-2018 11:46 PM

in my logs, I have mentioned the VM as VM!, VM@
User as user1 and user2....

while use the above expression, for line 2 , instead of user1, I m getting null%40null..

0 Karma
Reply

mayurr98
Super Champion
‎01-09-2018 11:57 PM

hey is null%40null is static? i mean there is only null%40null before user in this kind of events?

0 Karma
Reply

rraje_rgandhi
New Member
‎01-10-2018 12:28 AM

yes , for this kind of events we have only null%40null before user id.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...