Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 162
  • Last Modified:

Splunk REGEX working perfectly for single line, not detecting multiline

Hello Experts,

I'm running Splunk to grab some live data off a switch and my regular expression is working great when it comes in a single line. However sometimes when the events happen too close together (which is common) the data comes in with multiple lines and the regex then only catches the first line. I googled it and everything I found said to just add (?m) to the beginning but that doesn't seem to be working. Here's a screenshot of the missing data from any more than one received at a time.
splunk-regex.png
0
EndTheFed
Asked:
EndTheFed
  • 3
  • 3
2 Solutions
 
Terry WoodsIT GuruCommented:
You could try (?gm) instead of (?m) to try to capture the extra result. Let me know if it works
0
 
Terry WoodsIT GuruCommented:
If that doesn't work, could you please copy and paste your pattern; I have another idea
0
 
Terry WoodsIT GuruCommented:
I'm not familiar with Splunk (my focus is on regex in general, and in other languages), but it appears using the max_match argument could work (with 0 for unlimited):
rex max_match=0 "(?m)^yourpattern"

Open in new window


Details here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Rex

You'll still need the (?m) because you want the ^ in your pattern to match the start of each line.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
EndTheFedAuthor Commented:
Thank you for the quick reply! Unfortunately it doesn't look like either of those are working.
When I try (?gm) it fails completely with "Regex: unrecognized character after (? or (?-"
When I tried rex max_match=0 "(?m)^mypattern" I don't get an error on the syntax but it then doesn't match anything, not even the first line. I also tried max_match=1 and max_match=10 just to see what would happen, still nothing.
0
 
EndTheFedAuthor Commented:
Your asking to see my pattern made me go back and check the Event breaks at the Source type and I then realized... it's not set by pattern. Oops. Splunk has three options for event breaks, Auto (which is what it was set to), Every Line, and Regex (where you can specify a pattern for event breaks). I didn't think the Every Line option was functioning but it turns out for that type of change the service had to be restarted. Now set to Every Line (no pattern) and working.

If anyone comes across a similar issue to this (which I imagine is fairly common) change your Event Break to Every Line and restart the splunkd service.
1
 
EndTheFedAuthor Commented:
Error on my part. Should have restarted service to be certain.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now