Re: skip first 10 lines of search results

guru333 · ‎04-29-2024

_raw=

line 1

line 2

line 3

line 4

line 5

line 6

how to define another new field "copyofraw" to contain just line 5 and line 6

bowesmana · ‎04-29-2024

Need a little more information about the real data and its format, but if you want to ignore the first 4 lines, which are terminated by a linefeed then get the rest of the data, see this example

| makeresults 
| fields - _time
| eval _raw="line 1
line 2
line 3
line 4
line 5
line 6"
| rex "(?ms)([^\n]*\n){4}(?<copyofraw>.*)"

guru333 · ‎04-29-2024

I want to execute this skip first 7 lines on splunk default environment variable "_raw" and not on

eval _raw="line 1
line 2
line 3
line 4
line 5
line 6"

bowesmana · ‎04-29-2024

The makeresults / eval is an example you can run to show you how this works - in your first post you said you wanted lines 5 and 6 - now you want to skip the first 7 lines and your post says you want to skip first 10 lines?

Confused...

Please give more precise information about your requirement

guru333 · ‎04-29-2024

sorry for confusion.

I want to skip 1st 7 lines of environment variable "_raw" and then copy that info from 7th line to new variable "_raw_refined"

bowesmana · ‎04-30-2024

So, use the rex statement I provided and change the 4 to a number of lines you want to skip and change copyofraw to the name of the field you want to create.

Note that _raw is a FIELD in Splunk, not an environment variable - Splunk has fields that are part of your data and _raw and _time are key fields

guru333 · ‎05-02-2024

I need to skip 1st 10 lines of key field "_raw"

bowesmana · ‎05-02-2024

When you tried my suggestion, please tell me what happened and what still is not working.

skip first 10 lines of search results

field extraction

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!