Splunk Search

Why is my current regex not extracting fields from a multiline log with spaces at the start of each line?

zac18992
New Member

Hi

I have some logs in the format below (multiple lines in each log). Note that there are spaces on the start of each line.

SPACES amount:
SPACES purchAmount: 6300
SPACES currency: 978

I am using the following regex to extract a field (I would replicate this for other fields):

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$

It doesn't seem to work. Could anyone help with this?

Many thanks!

0 Karma

neelamssantosh
Contributor

Hi Zac,

go through the below link,
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

Hope it will help your concerns as it automatically creates the field extraction as per your requirement.

0 Karma

zac18992
New Member

Hi

I have used the regex extractor on many other logs. However, when I try to use it on this multiline log, I get the following error:

'The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.'

Thanks

0 Karma

jeffland
SplunkTrust
SplunkTrust

You should be able to extract your fields with

amount:\s(?<amount>.*)

for amount,

purchAmount: (?<purchAmount>.*)

for purchAmount and so forth. Try your regexes online, for example at regex101 - it helps a lot!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have a named group without a name. This string works for me:

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$
---
If this reply helps you, Karma would be appreciated.
0 Karma

jeffland
SplunkTrust
SplunkTrust

I think your regex is corrupted. When you post regexes, always use the code function (or indent by four spaces per hand).

0 Karma

zac18992
New Member

The regex was supposed to be as follows:

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$

Apologies for that!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...