I'm having problem with a multi-line field extraction which I have been struggling to figure out.
2017-05-19T12:48:10,337|[http-nio-9094-exec-8]|INFO|VM!|com.alb.bps.common.validation.ImagingCommonValidator|436CCDF8BD1E405E131392C31DA79857|674e1625-750f-4311-a29d-787b1a92b4c8|user2|Normal|IBD2|Validator Request:DocumentVO [busFuncCd=16, busFuncDocType=CKS],imageVO=null]|documentId=>678910|endorsedVersion=>false|nativeFormat=>false|formatType=>JPEG|advisorView=>false|advisorId=>null|
2017-05-19T13:22:26,236|[http-nio-9094-exec-4]|INFO|VM@|com.alb.bps.common.validation.ImagingCommonValidator|EC801FC17F8362A0EF4DE84CC22BDAC7|74589db8-7d0c-41d7-b5a2-d3250631b0eb|null%40null|user1|Normal|IBD1|Validator Request:DocumentVO [busFuncCd=null,busFuncDocType=null,imageVO=null]|documentId=>12345|endorsedVersion=>true|nativeFormat=>true|formatType=>null|advisorView=>false|advisorId=>null|
Can you please help me ...
^(?P[^\|]+)\|\[.*\]\|\w+\|(?P\w+)((.*\.\d+\|)|(.*\-\w+\|)|(.*\%\w+\|))(?P[^\|]+)
hey @rraje_rgandhi
I got the workaround for your query!
Try this!
^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>[^|]+)\|.*((null%40null\|)|(\-\w+\|))(?P<USERID>[^\|]+)
OR
^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>[^|]+)\|.*\-\w+\|((null%40null\|)|)(?P<USERID>[^\|]+)
https://regex101.com/r/s4yM1f/1
https://regex101.com/r/voZkXP/1
I think this should work.
Let me know if this helps !
Please stop crossposting the same questions by using multiple accounts!
I answered this on here:
https://answers.splunk.com/answers/609629/how-to-extract-the-files-each-line-has-different-f.html
^(?P<Date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>\w+)((.*\.\d+\|)|(.*\-\w+\|)|(.*\%\w+\|))(?P<USERID>[^\|]+)
hey from your regex i think you need to extract only Date VM and USERID right?
so can you tell me what is the VM and USERID in your sample event?
in my logs, I have mentioned the VM as VM!, VM@
User as user1 and user2....
while use the above expression, for line 2 , instead of user1, I m getting null%40null..
hey is null%40null
is static? i mean there is only null%40null
before user
in this kind of events?
yes , for this kind of events we have only null%40null before user id.