Splunk Search

regex over multiline event

Explorer

Hello,

given the events i have to import in Splunk, i would like to extract the fields.
My problem occurs with the FUNCTION entry which can be there once, twice or not at all.

event1:
SERVER  myserver1
HOST    localhost
ERROR_CODE

event2: 
SERVER  myserver2
FUNCTION    f1
FUNCTION    f2
FUNCTION    f3
HOST    localhost

event3:
SERVER  myserver3
FUNCTION    f1
HOST    localhost

event4:
SERVER  myserver4
FUNCTION    f1
FUNCTION    f2
HOST    localhost
ERROR_CODE

Expected result after transformation should be

event1:
server="myserver1";function="";host="localhost";error_code=""

event2:
server="myserver2";function="f1,f2,f3";host="localhost";error_code=""

event3:
server="myserver3";function="f1";host="localhost";error_code=""

event4:
server="myserver4";function="f1,f2";host="localhost";error_code=""

My last attempt was this:

(?sm)SERVER\s(?<server>[A-Za-z0-9]+)(.*?)(FUNCTION\s*(?<function>[A-Za-z0-9]*))+(.*?)HOST\s*(?<host>[A-Za-z0-9]+)(.*?)ERROR_CODE\s*(?<error_code>[A-Z0-9]*)

but i always get only first occurrence of FUNCTION and not all of them.

Best regards
Tomasz

0 Karma
1 Solution

SplunkTrust
SplunkTrust

What about this by using maxmatch=0 (alternatively use MVADD=true in transforms.conf):

| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Example 1:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
FUNCTION    f1
FUNCTION    f2
FUNCTION    f3
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 1:

alt text

Example 2:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
FUNCTION    f1
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 2:

alt text

Example 3:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 3 (sorry but can't attach any more pictures, although it works fine too)

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

What about this by using maxmatch=0 (alternatively use MVADD=true in transforms.conf):

| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Example 1:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
FUNCTION    f1
FUNCTION    f2
FUNCTION    f3
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 1:

alt text

Example 2:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
FUNCTION    f1
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 2:

alt text

Example 3:

| stats count | fields - count
| eval _raw = "
SERVER    myserver2
HOST    localhost
"
| rex max_match=0 "(?msi)FUNCTION\s*(?<function>[A-Za-z0-9]*)"

Output 3 (sorry but can't attach any more pictures, although it works fine too)

View solution in original post

0 Karma