It looks like that your intention is to capture raw events with "Event Type" and "Event ID" in them. It would have been so much easier if you just describe the actual goal. You are correct that whe...
See more...
It looks like that your intention is to capture raw events with "Event Type" and "Event ID" in them. It would have been so much easier if you just describe the actual goal. You are correct that when you use list command, the resultant field doesn't have newline "\n" in it. It is simply a multivalued field that Splunk's Statistics tab presents in multiple lines. I see two different approaches to this problem. But before that, let me comment that you should approach your developer or aggregator, whoever made these logs into multiple events, and beg, harass, or intimidate them to combine these into a single event for Splunk. It will not only be better for Splunk, but also for people who may read the log files manually. The most straightforward approach will be to not bother with regex or "\n". index=xxx
| reverse
| stats list(_raw) as raw by _time
| eval Events = mvappend(mvfind(raw, "Event Type:"), mvfind(raw, "Event End:")) Note "Events" here is also multi-valued. In my opinion, multivalued fields are more useful subsequently. But if you really want them to be single valued with newline, just insert newline as exemplified in the next method. If you really, really must go with "\n", just insert it. index=xxx
| reverse
| stats list(_raw) as raw by _time
| eval raw = mvjoin(raw, "
")
| rex field=raw "(?<Events>(Event Type.*)((\n.*)?)+Event ID: \d+)"