Re: Multiple-lines fields extraction from an alrea...

royimad · ‎08-22-2013

Hello,

I have a text extracted in a field called MessageBody , the text contains multilines not a single lines and fields are separated by dash "-"
The text format is the following:
Field1 - Field2 - Needed Field3 -
Field4 - Field5
Another Field1 - Another Field2 - Another Needed Field3 -
Another Field4 - Another Field5

I need a regular expression to extract Fields number 3, How can i do that?

kristian_kolb · ‎08-22-2013

The following should work as an extract in props.conf; non-space followed by space, dash, space - two times, then grab all non-space as field3

EXTRACT-blah = (?m)^(\S+\s\-\s){2}(?<field3>\S+)

nekb1958 · ‎08-22-2013

Hi

sounds for me similar to my problem to parse the email of my dsl-router with embedded logline entries.
I stored the entries (unique pattern "timestamp followed from 4 spaces") as a multivalue field with a transformation and then splitted it in timestamp-logmessage pairs with

index=mail | mvexpand logevents | table logevents | rex field=logevents "..." | ...

in your case i would try to split the field MessageBody at the end of line characters into a mv-field with makemv

after that "mvexpand MessageBody" maybe with a trailing " | table MessageBody "

and then parse every line (now a single event) with a regex like

rex field=MessageBody "(?[^-]+)-(?[^-]+)-(?[^-]+)-"

maybe that helps you to find your solution?

Multiple-lines fields extraction from an already extracted field

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?