Solved: How to create a regex or rex in a search to extrac...

mani3033 · ‎09-05-2018

Hi Splunk Gurus - I am new to splunk, need your help on the below.

Below is how the events are getting into splunk, every event have multiple lines. Need a REX or REGEX to split every line as individual events.

15:44:26,951  INFO ALPSessionListener:21 - Session destroyed
15:44:27,437  INFO HomeController:121 - mapping -----/home
15:44:27,451  INFO AccessCardUtility:98 - In query payment method {https://alp.doc.company.com/doc/ccpwebservice/ServiceWeb.svc}
15:44:27,586  INFO HomeController:497 - User roles ----[Supervisor]
15:44:27,617  INFO ALPFilter:49 - User name:{InitialLogin}, Session Id:{x71d4QsDMRp0tpUAYH-LnEn-KRPdDPmsbgQpBLi7}, Login Date Time:{2018-09-05T15:44:27.617}, Resource accessing:{http://alp.doc.company.com/doc/WEB-INF/layout/GenericLayout.jsp}, Time Taken:{181ms}
15:44:27,904  INFO ALPInterceptor:70 - User has access to the URL/alp/ReconcileCashDrawer:{true}
15:44:27,904  INFO ReconcileCashDrawerController:121 - mapping -----/ReconcileCashDrawer
15:44:27,932  INFO ALPFilter:49 - User name:{JP19630}, Session Id:{fVrI3lxJKtjsd-IsoEr7An-14xrq}, Login Date Time:{2018-09-05T15:44:27.932}, Resource accessing:{http://alp.doc.company.com/doc/WEB-INF/layout/GenericLayout.jsp}, Time Taken:{28ms}
15:44:28,152  INFO ALPSessionListener:15 - ALP session created
15:44:28,207  INFO HandleDlsPaymentController:634 - payment response is ---org.datacontract.schemas._2004._07.Common_Payment_Common.GetPaymentInfoResponse@468bfb00
15:44:28,214  INFO RecPaymentController:71 - XML recieved {
15:44:28,214  INFO XMLUtility:51 - IN XML UTILITY
15:44:28,234  INFO ALPFilter:49 - User name:{InitialLogin}, Session Id:{gg6KJGawjksfdklafklto9ju8aQTzvaP2PLRum}, Login Date Time:{2018-09-05T15:44:28.234}, Resource accessing:{http://alp.doc.company.com/doc/settleSuccessful}, Time Taken:{783ms}
15:44:28,266  INFO ALPProductLlpsDAO:130 - number of products passed are {2}
15:44:28,346  INFO ALPSessionListener:15 - ALP session created

493669 · ‎09-06-2018

try this in props.conf

[sourcetype_name]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

View solution in original post

imthesplunker · ‎09-06-2018

Try in props.conf.

[sourcetype_name]
LINE_BREAKER =  ([\r\n]+)\d{1,2}\:\d{1,2}\:\d{1,2}
SHOULD_LINEMERGE = false
TIME_FORMAT = %H:%M:%S,%3N
TIME_PREFIX = ^

inventsekar · ‎09-06-2018

Hi Mani.. this whole logs is a single event?!?!
by using regex, do you want to get single line as a separate "event"?!?!?

Need a REX or REGEX to split every line as individual events //
once indexed, we can not use rex/regex to split the events to individual events..

by rex/regex, we can "extract" the lines and then do some calculations/reportings, etc..

mani3033 · ‎09-06-2018

Yes the app team writes the dump in to log file so many lines in one event, i used props.conf finally

493669 · ‎09-06-2018

try this in props.conf

[sourcetype_name]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

mani3033 · ‎09-06-2018

Thanks for all you responses, Finally i used the props.conf instead of trying to parse in the runtime search. It worked.

How to create a regex or rex in a search to extract each line in a log event to separate events?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...