4
2018-06-20T00:04:35.000+00:00 (980) WAL Autocheckpointing, name=C:\Program 
Files\PriceService\data\documents.db
2018-06-20T00:07:16.000+00:00 (980) WAL Autocheckpointing, name=C:\Program 
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:21.000+00:00 (980) WAL Autocheckpointing, name=C:\Program 
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:26.000+00:00 (980) WAL Autocheckpointing, name=C:\Program 
Files\PriceService\data\store-promotions.db

I have been trying to get my splunk query right in order to split this one event into multiple events but for some reason I cannot get my query right.

I tried to split on newline but the result set comes back unchanged. I understand from reading online I'm supposed to use something on the lines of 

myQuery | rex field=_raw "\[(?P<field1>...).*[\r\n]"

Apologies by the way. My regex game is not strong.

Cœur
  • 37,241
  • 25
  • 195
  • 267
L-Samuels
  • 2,712
  • 9
  • 34
  • 42
  • Why do you try to match `[` if your data does not contain it? Also, why not then just use `rex field=_raw ".+"`? `.+` matches any 1+ chars other than newline. – Wiktor Stribiżew Jun 20 '18 at 13:42
  • i was trying to piece together examples that i've seen online but regex is almost alien to me. – L-Samuels Jun 20 '18 at 13:50
  • .*[\r\n] seems to be just what i need when testing the regex in sublime text editor. Its only when i hook it into the rest of my splunk query do i get no joy. I just get back the same event with the above multiple entries – L-Samuels Jun 20 '18 at 14:15

2 Answers2

7

I realise that this could simply be done using

myQuery | multikv noheader=t

I hope this helps someone else as I spent a couple hours trying to get the regex right.

EDIT: Fixed command.

saarp
  • 1,931
  • 1
  • 15
  • 28
L-Samuels
  • 2,712
  • 9
  • 34
  • 42
3

Try ... | eval events=split(_raw, "\n") | mvexpand events | ....

BTW, regex101.com is great for testing regex strings.

RichG
  • 9,063
  • 2
  • 18
  • 29