Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my rex statement to ignore line breaks to extract the entire value for a certain field?

marcosrios
Explorer
‎03-04-2016 12:45 PM

Hello,

I have an event like this: 

2016-03-04 00:02:05,546 DEBUG [net.ussouth.aps.shared.util.SysLogUtil] <?xml version="1.0" encoding="UTF-8"?>
<TxnReq xmlns="http://www.us-south.net/namespace/Transaction"><ReqCat>fastcard</ReqCat><ReqAction>Act</ReqAction><ReqRoute>dbservice</ReqRoute><TraceUID>8a848b8d531f68940153400111f417ae</TraceUID><MerchDate>20160304</MerchDate><MerchTime>000206</MerchTime><Product><Track1>;0987789000000000=</Track1><Track2>0987789000000000=</Track2><ExtSerNum>0987789000000000</ExtSerNum><UPC>07675004668</UPC><Denom>840</Denom><Amount>5.0</Amount></Product><Origin><MerchID>Toys R Us</MerchID><StoreID>05927      TOYS</StoreID><TermID>05927100</TermID><TermType>FCMS</TermType><SrcRefNum>087591</SrcRefNum></Origin><Extension><Name>49</Name><Value>USD</Value></Extension><Extension><Name>59</Name><Value>0200      08759105927      TOYS.05927100</Value></Extension><TxnContext><HdrId>53746565</HdrId><ExecutionId>87077798</ExecutionId><StepNbr>1</StepNbr><IncommTransId>8a848b8d531f68940153400111f417ae</IncommTransId><NoPrevTxnFound>false</NoPrevTxnFound></TxnContext></TxnReq>

and I'm using this regex to get some fields from it:

| rex "(?<timestamp>(\d{4}-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}\,\d{3})) (?<loglevel>DEBUG|INFO|WARN|ERROR) (?<origin>\[.*\]) (?<content>.*)" | table timestamp, loglevel, origin, content

I can get all the fields ok except for content that is stopping when it finds a linebreak in the text. How can I make it get all the remaining text and set it in the (content) field?

Regards!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2016 01:16 PM

Try using the single-line modifier by putting "(?s)" at the beginning of your regex string.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2016 01:16 PM

Try using the single-line modifier by putting "(?s)" at the beginning of your regex string.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...