Hi there,
i have a multisensor device sending messages via MQTT. i am trying to extract the fields from it. it works for the single line fields, but for the "mulitline" fields, i am stuck on the regex..
example regex:
(gyro \(mdeg\/s\):.*\s*)(?P<xdk_gyro>((.*\s){3}))
example data:
Device: Multisensor
Name: mus_007
Timestamp: 10328
acc (mG):
x = +24
y = +19
z = +1047
gyro (mdeg/s):
x = -2685
y = +3540
z = -2075
mag (uT):
x = +22
y = +8
z = +3
light (mLux) = 92160
temp (mCelsius) = 27870
pressure (Pascal) = 98725
humidity (%rh) = 32
so far, extracting the "multiline" fields (which consist of x y and z coordinates) as one field seem to work in regex101.com but not in Splunk's Field Extractor.
it would be great if you cold come up with some help, either extracting the different coordinates group as one or, even better 🙂 , with an idea how to get the single values for x, y, z.
thanks
swe
Would be best to extract them individually (less sensitive to content changes). Try somehting like this for each group
acc[.\s\S\n\r]*?x\s=\s(?<acc_x>[+|-]\d+)
acc[.\s\S\n\r]*?y\s=\s(?<acc_y>[+|-]\d+)
acc[.\s\S\n\r]*?z\s=\s(?<acc_z>[+|-]\d+)
gyro[.\s\S\n\r]*?x\s=\s(?<gyro_x>[+|-]\d+)
gyro[.\s\S\n\r]*?y\s=\s(?<gyro_y>[+|-]\d+)
gyro[.\s\S\n\r]*?z\s=\s(?<gyro_z>[+|-]\d+)
mag[.\s\S\n\r]*?x\s=\s(?<mag_x>[+|-]\d+)
mag[.\s\S\n\r]*?y\s=\s(?<mag_y>[+|-]\d+)
mag[.\s\S\n\r]*?z\s=\s(?<mag_z>[+|-]\d+)
Would be best to extract them individually (less sensitive to content changes). Try somehting like this for each group
acc[.\s\S\n\r]*?x\s=\s(?<acc_x>[+|-]\d+)
acc[.\s\S\n\r]*?y\s=\s(?<acc_y>[+|-]\d+)
acc[.\s\S\n\r]*?z\s=\s(?<acc_z>[+|-]\d+)
gyro[.\s\S\n\r]*?x\s=\s(?<gyro_x>[+|-]\d+)
gyro[.\s\S\n\r]*?y\s=\s(?<gyro_y>[+|-]\d+)
gyro[.\s\S\n\r]*?z\s=\s(?<gyro_z>[+|-]\d+)
mag[.\s\S\n\r]*?x\s=\s(?<mag_x>[+|-]\d+)
mag[.\s\S\n\r]*?y\s=\s(?<mag_y>[+|-]\d+)
mag[.\s\S\n\r]*?z\s=\s(?<mag_z>[+|-]\d+)
wow, that was fast! thank you a lot sundareshr! 🙂