Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my current regex not extracting fields from a multiline log with spaces at the start of each line?

zac18992
New Member
‎04-21-2015 07:16 AM

Hi

I have some logs in the format below (multiple lines in each log). Note that there are spaces on the start of each line.

SPACES amount:
SPACES purchAmount: 6300
SPACES currency: 978

I am using the following regex to extract a field (I would replicate this for other fields):

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$

It doesn't seem to work. Could anyone help with this?

Many thanks!

0 Karma
Reply

neelamssantosh
Contributor
‎04-21-2015 08:11 AM

Hi Zac,

go through the below link,
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

Hope it will help your concerns as it automatically creates the field extraction as per your requirement.

0 Karma
Reply

zac18992
New Member
‎04-22-2015 02:47 AM

Hi

I have used the regex extractor on many other logs. However, when I try to use it on this multiline log, I get the following error:

'The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.'

Thanks

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 07:22 AM

You should be able to extract your fields with

amount:\s(?<amount>.*)

for amount,

purchAmount: (?<purchAmount>.*)

for purchAmount and so forth. Try your regexes online, for example at regex101 - it helps a lot!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2015 07:21 AM

You have a named group without a name. This string works for me:

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 07:18 AM

I think your regex is corrupted. When you post regexes, always use the code function (or indent by four spaces per hand).

0 Karma
Reply

zac18992
New Member
‎04-21-2015 07:30 AM

The regex was supposed to be as follows: 

(?Um-s)^(\s+?)currency:\s(?P<currency>.+?)$

Apologies for that!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...