Getting Data In

How to extract data when log entries have multiple entries?

nottheboss
Engager

I have a log entry which has multiple entries within it. i would like to be able to extract each row and have a table with rows for each entry
for example
this is the log
[22/Mar/2018:17:06:23 -0700] id 100 “GET /URL1” 200 276
[22/Mar/2018:17:06:23 -0700] id 101 “GET /URL2” 200 276
[22/Mar/2018:17:06:23 -0700] id 102 “GET /URL3” 200 276

Table
100 URL1
101 URL2
102 URL3

0 Karma
1 Solution

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval _raw="[22/Mar/2018:17:06:23 -0700] id 100 “GET /URL1” 200 276
[22/Mar/2018:17:06:23 -0700] id 101 “GET /URL2” 200 276 
[22/Mar/2018:17:06:23 -0700] id 102 “GET /URL3” 200 276" 
| rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" 
| eval c=mvzip(id,url) 
| mvexpand c 
| rex field=c "(?<id>[^\,]+)\,(?<url>.*)" 
| table id url

In your environment, try

<your base search> 
| rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" 
| eval c=mvzip(id,url) 
| mvexpand c 
| rex field=c "(?<id>[^\,]+)\,(?<url>.*)" 
| table id url

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

Try this run anywhere search

| makeresults 
| eval _raw="[22/Mar/2018:17:06:23 -0700] id 100 “GET /URL1” 200 276
[22/Mar/2018:17:06:23 -0700] id 101 “GET /URL2” 200 276 
[22/Mar/2018:17:06:23 -0700] id 102 “GET /URL3” 200 276" 
| rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" 
| eval c=mvzip(id,url) 
| mvexpand c 
| rex field=c "(?<id>[^\,]+)\,(?<url>.*)" 
| table id url

In your environment, try

<your base search> 
| rex max_match=0 "id\s+(?<id>\d+)\s+\“\w+\s+\/(?<url>\w+)" 
| eval c=mvzip(id,url) 
| mvexpand c 
| rex field=c "(?<id>[^\,]+)\,(?<url>.*)" 
| table id url

let me know if this helps!

0 Karma

damiensurat
Contributor

Hmm. I’m curious to understand. Each event in Splunk has multiple lines of a log event? I can’t say I know your data or how it’s coming into Splunk, but it would be good if each of these was an individual event with linebreaking. If this can’t be done and you have multiple lines in each event, there are ways of handeling this, but it would be better to understand how events are coming in first before explaining how you can split multivalue or multi line events if that is not the case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...