L-Samuels
Reputation: 2832
Splunk: Trying to split multiline event at search time
2018-06-20T00:04:35.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\documents.db
2018-06-20T00:07:16.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:21.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:26.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
I have been trying to get my splunk query right in order to split this one event into multiple events but for some reason I cannot get my query right.
I tried to split on newline but the result set comes back unchanged. I understand from reading online I'm supposed to use something on the lines of
myQuery | rex field=_raw "\[(?P<field1>...).*[\r\n]"
Apologies by the way. My regex game is not strong.
Upvotes: 4
Views: 12245
Answers (2)
L-Samuels
Reputation: 2832
I realise that this could simply be done using
myQuery | multikv noheader=t
I hope this helps someone else as I spent a couple hours trying to get the regex right.
EDIT: Fixed command.
Upvotes: 8
RichG
Reputation: 9926
Try ... | eval events=split(_raw, "\n") | mvexpand events | ....
BTW, regex101.com is great for testing regex strings.
Upvotes: 3
Related Questions
- Get rid of characters between two characters in Splunk
- Splunk HEC - Disable multiline event splitting due to timestamp
- Splunk: regex - No events counted
- Splunk: How to use multiple regular expressions in one query?
- Splunk field extractions from different events & delimiters
- Search over multiple lines regex
- Extract this specific pattern using regEx ( "message":"TransactionRefNo =====> 37010072") from splunk events using query?
- regex:how to specify and end of the capture
- Regex to extract two values from single string in Splunk
- A regex with Splunk