Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: regex Adding an empty line after value found
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex Adding an empty line after value found
Giggs
New Member
11-19-2015
11:06 PM
Hi,
Newbie in regex, would like help to add a line after transactionid=XXXXXX. My props looks like this:
[source::/nyx/nogscore/log/nogscore-*]
SHOULD_LINEMERGE=False
BREAK_ONLY_BEFORE_DATE=false
LINE_BREAKER_LOOKBEHIND=500
LINE_BREAKER=(transactionid=[0-9]+)
DATETIME_CONFIG=CURRENT
LOG:
NNNN :000.01| 06:37:15 [4067241XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [40672414XXX] ws_api12.cpp:279 * CHECK : 10 NOGS:::#name=wager;accountid=2-4410XXX-USD,USD;activationid=;apiversion=1.0;betamount=0.06;campaignid=;clienttype=html5;currency=USD;gpgameid=doctorlove;gpid=100;jpc=;loginname=XXX;opid=XXX;password=XXX;request=wager;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 (Like a new line after this)
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
NNNN :000.00| 06:37:15 [4059315XXX] ws_api12.cpp:606 * CHECK : 10 NOGS:::#name=result;accountid=2-44101XXX-USD,USD;apiversion=1.0;clienttype=html5;currency=USD;gamestatus=completed;gpgameid=doctorlove;gpid=100;houseincome=;jpwonamount=;loginname=XXX;opid=XXX;password=XXXX;request=result;roundid=529233;sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268349;wonamount=0.00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-21-2015
01:04 PM
I am going to assume you mean exactly what you said (which seems very strange to me). Do it like this in props.conf:
[source::/nyx/nogscore/log/nogscore-*]
SEDCMD-add_extra_newline_at_end_of_line_after_transactionid = s/(transactionid=.*$)/\1\n/g
Note: After making changes to props.conf and deploying to Indexers (or Heavy Forwarders), restart all Splunk Enterprise instances to enable the configuration changes. This applies ONLY TO EVENTS THAT ARE INDEXED POST-RESTART.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-21-2015
11:37 AM
Are you saying that in your file that you would like to merge lines such that they are treated as a multi-line event all the way until the last line which should contain "transactionid=" and then at the next newline, break the event there and start a new event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Giggs
New Member
11-20-2015
06:06 AM
Looks like this :
essionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
Want to look like this :sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Richfez
SplunkTrust
11-20-2015
05:54 AM
Is your example one after you've manually inserted a carriage return into it, is it the actual LOG line as it sits on disk before Splunk ingested it, or the _raw event, or...
Basically, do your events look like this (trimmed):
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348 NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
or like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
And do you want them to look like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
or like this
sessionid=0000000CEDE13001c099559651a5ca63d5d325bde65907e3e55683dca0338159965a2fc1c2bfb311;transactionid=1268348
NNNN :000.01| 06:37:15 [4059315XXX] ws_proc.cpp:1002 - INFO : 00 NOGS::wallet version match: 1.2
Get Updates on the Splunk Community!
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...
Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions
Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...
Index This | How do you write 23 only using the number 2?
July 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
