Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add line numbers to multiline event using rex in sed mode

alon7786
New Member
‎03-24-2016 07:59 AM

Hi,

Is there a way to use fields in rex expression?
I would like to do something like this:

| eval num=1 | accum num | rex mode=sed "s/(?m)^(.)$/*num. \1/g"

meaning adding to multiline event line numbers without breaking the lines.

I tried the How to number each line in a multiline event? but all the suggestions breaking the multiline event to event per line.

I must save the event multiline to perform more actions on the result.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎04-20-2016 09:37 AM

You can try like this (run anywhere sample)

| gentimes start=-1 | eval _raw="Line1 
Line2
Line3" | table _raw | rex mode=sed "s/([\r\n])/#$#\1/g" | makemv _raw delim="#$#" | eval sno=mvrange(1,mvcount(_raw)+1) | eval _raw=mvzip(sno,_raw,". ")
0 Karma
Reply

alon7786
New Member
‎04-19-2016 10:39 PM

Is it impossible? or my questions make no sense?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...