- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can i break multiple lines of a log ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can i break this lines ?
I used this regex but i can't obtain multiple data of each event with lot uid:
Regex:
[ldif]
EXTRACT-ldifid = uniqueMember:\suid=(?
uniqueMember: uid=b072psre,ou=people,o=b072,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044ghna,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044aaqu,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044mgcr,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044aasa,ou=People,o=B044,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044ogre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b044ggre,ou=people,o=b044,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b132mdga,ou=people,o=b132,o=nacionales,o=bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b830gosa,ou=People,o=B830,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp
uniqueMember: uid=b132vhga,ou=People,o=B132,o=Nacionales,o=Bancos,o=clientes,o=prosa.com.mx,o=isp
Show all 242 lines
• host=ldif-locales
• source=OperadoresLocales.ldif
• sourcetype=ldif
• uid=b072psre
• ldifid=b072psre
I want extract the values of the consecutive rows, then i can make a top of "uid"s, Splunk only returns one "uid" for each log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add the directive MV_ADD = true in props.conf. By default Splunk will just extract one value and then stop - but if you specify MV_ADD = true it will continue matching and create a multivalued field holding all values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to add the directive MV_ADD = true in props.conf. By default Splunk will just extract one value and then stop - but if you specify MV_ADD = true it will continue matching and create a multivalued field holding all values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ! The lines is broken now ! But i don't understand why some lines is together yet.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
