amir.m ghazanfari
Reputation: 209
manipulate string in splunk
I have a multi line event in Splunk that looks like this:
{"log":"text 1\n","stream":"stdout","time":"2022-09-12T10:06:27.318327863Z"}
{"log":"text 2\n","stream":"stdout","time":"2022-09-12T10:06:28.318327863Z"}
{"log":"text 3\n","stream":"stdout","time":"2022-09-12T10:06:29.318327863Z"}
splunk shows log as
log: text 1
and ignores other lines. I need a field that says for example:
log_sample: text 1
text 2
text 3
I'm not a Splunk admin so I can not change the config of Splunk. What I need is kind of a regex function so that I can manipulate the event. I tried this pipeline:
...| rex max_match=0 field=_raw "(?<lineData>zone.*?mark=(\},|\}\s+\]))" | mvexpand lineData
but it was not working (I found it on the internet)
Upvotes: 0
Views: 147
Answers (1)
RichG
Reputation: 9916
This is an example of why one should not copy code from the Internet without understanding what it does. The regular expression used in the rex command is for a completely different target string. You need to modify the regex to match your data.
Try this, instead.
| rex max_match=0 "log\\\":\\\"(?<text>[^\\\"]+)" | mvexpand text
Upvotes: 2
Related Questions
- How to exclude a particular string from set of server logs
- Using Splunk rex to extract String from logs
- splunk query based on log stdout
- How to parse information from a log message in splunk
- Search string with dynamic value in Splunk
- Assign a value to the variable in Splunk and use that value in the search
- How to extract data from the String in splunk?
- format splunk query by renaming search elements
- Filtering Splunk results based on a numerical value in the log entry
- Splunk Custom Log format Parsing