Hi,
I have logs like this :
Exception in thread "main" java.lang.RuntimeException: Some other message
at Exceptions.main(Exceptions.java:4)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.lang.RuntimeException: Some message
at Exceptions.main(Exceptions.java:3)
These are my raw events and I am able to extract them using regex, my issue is the left indentation for the first line and "Caused by" is of course, missing when i extract them using regex. Currently my regex return something like this:
Exception in thread "main" java.lang.RuntimeException: Some other message
at Exceptions.main(Exceptions.java:4)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.lang.RuntimeException: Some message
at Exceptions.main(Exceptions.java:3)
Is there a way to preserve the left indentation wherever applicable?
I cover this in in this Q&A but the problem is that Splunk presents newlines in data as spaces and there is NO way to change this. The work-around is to split the field into a multi-valued field at each newline:
https://answers.splunk.com/answers/560325/fix-loss-of-text-formatting-in-dashboard-table-fie.html
You can use rex in sed mode to remove spaces at the beginning of lines in your field.
| rex field=yourFieldName mode=sed “s/^\s+//g”
Hi yes, the sed mode is one option, and I was not clear on stating my initial needs. I meant , can something apply to this extraction in specific only?
I have other raw fields with lines having indentation and I do not want them to retain their original indents. The other set should come without indents. When i apply the sed regex above it applies to all my raw events, and i don't want that
Change field=yourFieldName to the field name that you want to apply this to. By default it uses _raw which is all the data.
Hi, Thanks a lot. I am a bit under the weather today, but I feel we are pretty near, the issue here is I am trying this on _raw field and I have to as these are raw log entries. So, how can I assign a field name here?
If i assign _raw it of course takes all the events AND I have to apply this to the _raw events.
Just one step away I guess :)?
I’m confused. Can you share a screenshot of your search and the results?