Getting Data In

How to split a fieldvalue at the very first line break?

HeinzWaescher
Motivator

Hi,

I want to split up a fieldvalue into two parts at the very first linebreak (in total there is an unknown amount of linebreaks)

Here is an example.

Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
...

Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...

I want to cut after the first linebreak and ignore all following linebreaks. So that in the end the bold is fieldA and the rest is fieldB

Thanks in advance

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "(?ms)^(?<part1>[^\r\n]+)[\r\n]+(?<part2>.*)$"
0 Karma

HeinzWaescher
Motivator

this seems to work all cases 🙂 thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
did you tried something like this

(?<your_field>[^\n]*)\n

or

(?<your_field>[^ ]*)\n

Bye.
Giuseppe

HeinzWaescher
Motivator

Unfortunately I'm not familiar with rex commands. Can you give me a hint how to adopt this?
I tried

| rex field=fieldA (?[^ ]*)\n

But Splunk tells me
Error in 'SearchParser': Missing a search command before '^'.

PS: I don't know why this comment function rejects parts of my entered command after submitting it 😞

0 Karma

gcusello
SplunkTrust
SplunkTrust

if you use this regex in a field you can write
(?[^ ]*)\n
if instead you use it in a search, you must put regex in brackets, write

Your_search
| rex "(?<your_field>[^ ]*)\n"
| ...

try both the solutions ( [^ ] and [^\n])

Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

thanks for the clarification. Both options don't change the fieldvalue

0 Karma

gcusello
SplunkTrust
SplunkTrust

could you share another example of your log?
Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

Here is an example.

Shown Fieldvalue:
java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333
at s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)
at s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

...

Raw data:
"stacktrace":"java.lang.IllegalStateException: Could not generated a new mission config for player 97a49f4e-e99e-4594-8284-80989333 and horde config 97a49f4e-e99e-4594-8284-80989333 on island 97a49f4e-e99e-4594-8284-80989333\n\tat s.r.GeneratedConstructorAccessor309.newInstance(Unknown Source)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat
...

I want to cut after the first linebreak, so that the bold is fieldA and the rest is fieldB

0 Karma

gcusello
SplunkTrust
SplunkTrust

try

(?<field1>[^\r\n]*)\n(?<field2>.*)

you can test it at https://regex101.com/r/10IbYY/1

Bye.
Giuseppe

0 Karma

HeinzWaescher
Motivator

this seems to be a step in the right direction. the field is separated, but field2 only shows the part until the next linebreak appears. can we ignore all linebreaks afterwards?

0 Karma

gcusello
SplunkTrust
SplunkTrust

strange in my regex101 test field2 takes all until the end...
anyway try

(?s)(?<field1>[^\r\n]*)\n(?<field2>.*)

see it at https://regex101.com/r/10IbYY/2

Bye.
Giuseppe

HeinzWaescher
Motivator

thanks, that looks very promising! I recognized some cases where it does not work. any idea why for this example here:

java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

In Splunk field1 is empty. field2 is:
at java.net.SocketInputStream.socketRead0(SocketInputStream.java) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at

0 Karma

gcusello
SplunkTrust
SplunkTrust

I cannot see if there's a newline for each line.
Putting this example in regex101, all the three lines are in field1, if I insert a newline after the first, all logs are correctly read (the first in field1 and the others in field2).
Probably there's only one newline in these records.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...