Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex to Select Data Between Line Breaks

dfrench151
Explorer
‎04-11-2019 07:10 AM

Hello,

I am trying to create a regex so that I can have all data in between line breaks as one event. Here is a sample of the data I'm working with:

isDraggingObject   : True
id                 : afbbdeb7-9fd4-4b53-ab17-742809154ba9
condition          : {or, matches System.Object[] (?i)(^.*?host failure 
                     alert.*?www\.jennycraig\.com\.au.*?$), matches System.Object[] 
                     (?i)(^.*?\bwarning\b.*?www\.jennycraig\.com\.au.*?$)}
catch_all          : False
advanced_condition : {}
actions            : {route PVG22KK, severity warning}

isDraggingObject   : True
id                 : 3b5aa785-b854-4e43-900a-225da5786a27
condition          : {or, matches System.Object[] 
                     (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com\.au.*?$)}
catch_all          : False
advanced_condition : {}
actions            : {severity critical, route PVG22KK}

**isDraggingObject   : True
id                 : a8420998-fbca-486b-9ff7-d03b9e16536e
condition          : {or, matches System.Object[] (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com$), 
                     matches System.Object[] (?i)(^.*?\bcritical\b.*?locations\.jennycraig\.com)}
catch_all          : False
advanced_condition : {}
actions            : {severity critical, route PW0VV83}**

The aim is to get all data as one event.

Thanks in advance for you help. I've been trying multiple different regex expressions, but just can't figure it out...

0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2019 05:03 PM

Your description is strange to me. If you mean that there is a blank line between events, then this will do it:

[<YourSourcetypeHere>]
SHOULD_LINEMERGE = false
LINEBREAKER = ([\r\n]\s*[\r\n]+)
0 Karma
Reply

robinettdonWY
Path Finder
‎04-11-2019 01:20 PM

Assuming you want everything in between the empty lines in 1 capture group (named "event")... this should work.

edit: sorry for cut and paste silliness.
(?<event>^.\S*[^\n<]*(?:(?:<(?!)|\n(?!$))[^\n]*)*(?:|\n$|\z))

Demo

0 Karma
Reply

dfrench151
Explorer
‎04-11-2019 02:04 PM

So would this be in the props.conf file?
LINE_BREAKER = (?^.\S*^\n<*(?:|\n$|\z))

0 Karma
Reply

robinettdonWY
Path Finder
‎04-11-2019 02:08 PM

look at my last edit.... i think you need to name the capture group (my example I named it "event" ).

https://regex101.com/r/aRu6NA/1

0 Karma
Reply

dfrench151
Explorer
‎04-11-2019 02:58 PM

I tried that example as well and for some reason it is still combining all the data into one event.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2019 07:52 AM

Are you saying this data currently in multiple lines and you want to combine it into a single line? Do you want to do this at index time or search time?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dfrench151
Explorer
‎04-11-2019 08:20 AM

I want this to be completed at the time I index the date. Even 1 should be:
isDraggingObject : True
id : afbbdeb7-9fd4-4b53-ab17-742809154ba9
condition : {or, matches System.Object(^.?host failure
alert.?www.jennycraig.com.au.?$), matches System.Object(^.?\bwarning\b.?www.jennycraig.com.au.?$)}
catch_all : False
advanced_condition : {}
actions : {route PVG22KK, severity warning}

Event 2:
isDraggingObject : True
id : 3b5aa785-b854-4e43-900a-225da5786a27
condition : {or, matches System.Object(^.?\bcritical\b.?www.jennycraig.com.au.*?$)}
catch_all : False
advanced_condition : {}
actions : {severity critical, route PVG22KK}

Currently splunk is just grouping everything together into one event.

0 Karma
Reply

dmarling
Builder
‎04-11-2019 11:37 AM

Is this logging format some kind of application standard or is this something that someone made in house. I ask because the way it's currently formatted makes it difficult for index time field extractions. I have a search time extraction that can be used to accomplish what I believe you are trying to do (create key value pairs) using a run anywhere example with your data that was provided on your question:

| makeresults count=3 
| streamstats count as counter 
| eval _raw=case(counter=1, " isDraggingObject   : True
 id                 : afbbdeb7-9fd4-4b53-ab17-742809154ba9
 condition          : {or, matches System.Object[] (?i)(^.*?host failure 
                      alert.*?www\.jennycraig\.com\.au.*?$), matches System.Object[] 
                      (?i)(^.*?\bwarning\b.*?www\.jennycraig\.com\.au.*?$)}
 catch_all          : False
 advanced_condition : {}
 actions            : {route PVG22KK, severity warning}", counter=2, " isDraggingObject   : True
 id                 : 3b5aa785-b854-4e43-900a-225da5786a27
 condition          : {or, matches System.Object[] 
                      (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com\.au.*?$)}
 catch_all          : False
 advanced_condition : {}
 actions            : {severity critical, route PVG22KK}", counter=3, " **isDraggingObject   : True
 id                 : a8420998-fbca-486b-9ff7-d03b9e16536e
 condition          : {or, matches System.Object[] (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com$), 
                      matches System.Object[] (?i)(^.*?\bcritical\b.*?locations\.jennycraig\.com)}
 catch_all          : False
 advanced_condition : {}
 actions            : {severity critical, route PW0VV83}**") 
| fields - counter _time 
| rex field=_raw mode=sed "s/(\n|^)\s+(\w+\s+):/█\1\2:/g" 
| makemv _raw delim="█" 
| rex mode=sed field=_raw "s/█//g"
| rex mode=sed field=_raw "s/\n/ /g"
| extract kvdelim=":" pairdelim="
"

The first sed statement is placing a unique character to be inserted into the event, which we can then use to make it a multi-valued results that splits each key value pairing into a unique value of the raw data. It then removes the unique character and then removes all line breaks and makes them spaces. After that is done you can run the extract command and it will produce proper key value pairing.

If this is a custom generated log event, I would suggest that they consider making it key value format by wrapping their values with quotes and changing the colon to an equal sign or follow the Windows events formatting standard if you want line breaks without quotes in your values.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

dfrench151
Explorer
‎04-11-2019 02:56 PM

The document is created from a powershell script that pulls data through an API connection with an online application. When the information is indexed, there are not line breaks...:

isDraggingObject   : True
id                 : afbbdeb7-9fd4-4b53-ab17-742809154ba9
condition          : {or, matches System.Object[] (?i)(^.*?host failure alert.*?www\.jennycraig\.com\.au.*?$), matches 
                     System.Object[] (?i)(^.*?\bwarning\b.*?www\.jennycraig\.com\.au.*?$)}
catch_all          : False
advanced_condition : {}
actions            : {route PVG22KK, severity warning}
isDraggingObject   : True
id                 : 3b5aa785-b854-4e43-900a-225da5786a27
condition          : {or, matches System.Object[] (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com\.au.*?$)}
catch_all          : False
advanced_condition : {}
actions            : {severity critical, route PVG22KK}
isDraggingObject   : True
id                 : a8420998-fbca-486b-9ff7-d03b9e16536e
condition          : {or, matches System.Object[] (?i)(^.*?\bcritical\b.*?www\.jennycraig\.com$), matches 
                     System.Object[] (?i)(^.*?\bcritical\b.*?locations\.jennycraig\.com)}
catch_all          : False
advanced_condition : {}
actions            : {severity critical, route PW0VV83}
isDraggingObject   : True
id                 : d9837013-68c9-42bf-a91f-8dd8a94ca377
condition          : {or, matches System.Object[] (?i)(^.*?host failure alert.*?www\.jennycraig\.com$), matches 
                     System.Object[] (?i)(^.*?\bwarning\b.*?www\.jennycraig\.com$), matches System.Object[] 
                     (?i)(^.*?host failure alert.*?locations\.jennycraig\.com)...}
catch_all          : False
advanced_condition : {}
actions            : {route PW0VV83, severity warning}
isDraggingObject   : True
id                 : 20fc7d82-d17d-443e-9802-c8f2df462ce9
condition          : {or, equals System.Object[] critical: Page Failure alert on 
                     https://uw2pobi11.sonic.jennycraig.com:9503/analytics, equals System.Object[] critical: Page 
                     Failure alert on https://uw2pobi11.sonic.jennycraig.com:9501/console, equals System.Object[] 
                     critical: Page Failure alert on https://uw2pobi11.sonic.jennycraig.com:9501/em...}
catch_all          : False
advanced_condition : {}
actions            : {route PO77HX2}

I tried out your code in one of the searches and it produced no results.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...