Solved: Multiline field search: How to print multiple even...

jimish · ‎07-08-2022

In logs there are multiple lines printed like below and I want to print all of them in a table but my search query only prints one value , need help to print multiple records

Balance amount is zero for invoice id:20220402-126-12300-A

Balance amount is zero for invoice id:20220502-126-12300-B

Balance amount is zero for invoice id:20220602-126-12300-C

Need to print like : 20220704-126-77300-A, 20220404-126-77300-A , 20220704-126-77300-A

query I am trying : rex field=_raw "Balance amount is zero for invoice id:(?P<InvoiceExceptionNo>\S+)"

danielcj · ‎07-08-2022

Hello @jimish ,

Please try using the "max_match" command on the rex definition. Like this one:

| rex max_match=0 field=_raw "Balance amount is zero for invoice id:(?P<InvoiceExceptionNo>\S+)"
| table InvoiceExceptionNo

View solution in original post

jimish · ‎07-08-2022

thank you max_match command did the trick.

will be very useful in future.

Thank you

danielcj · ‎07-08-2022

Hello @jimish ,

Please try using the "max_match" command on the rex definition. Like this one:

| rex max_match=0 field=_raw "Balance amount is zero for invoice id:(?P<InvoiceExceptionNo>\S+)"
| table InvoiceExceptionNo

Multiline field search: How to print multiple events?

rex

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Multiline field search: How to print multiple events?

rex

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I