?
Solved

Splunk REGEX working perfectly for single line, not detecting multiline

Posted on 2016-10-19
6
Medium Priority
?
82 Views
Last Modified: 2016-10-25
Hello Experts,

I'm running Splunk to grab some live data off a switch and my regular expression is working great when it comes in a single line. However sometimes when the events happen too close together (which is common) the data comes in with multiple lines and the regex then only catches the first line. I googled it and everything I found said to just add (?m) to the beginning but that doesn't seem to be working. Here's a screenshot of the missing data from any more than one received at a time.
splunk-regex.png
0
Comment
Question by:EndTheFed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Terry Woods
ID: 41851465
You could try (?gm) instead of (?m) to try to capture the extra result. Let me know if it works
0
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 2000 total points
ID: 41851513
If that doesn't work, could you please copy and paste your pattern; I have another idea
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 41851578
I'm not familiar with Splunk (my focus is on regex in general, and in other languages), but it appears using the max_match argument could work (with 0 for unlimited):
rex max_match=0 "(?m)^yourpattern"

Open in new window


Details here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Rex

You'll still need the (?m) because you want the ^ in your pattern to match the start of each line.
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 

Author Comment

by:EndTheFed
ID: 41852454
Thank you for the quick reply! Unfortunately it doesn't look like either of those are working.
When I try (?gm) it fails completely with "Regex: unrecognized character after (? or (?-"
When I tried rex max_match=0 "(?m)^mypattern" I don't get an error on the syntax but it then doesn't match anything, not even the first line. I also tried max_match=1 and max_match=10 just to see what would happen, still nothing.
0
 

Accepted Solution

by:
EndTheFed earned 0 total points
ID: 41852469
Your asking to see my pattern made me go back and check the Event breaks at the Source type and I then realized... it's not set by pattern. Oops. Splunk has three options for event breaks, Auto (which is what it was set to), Every Line, and Regex (where you can specify a pattern for event breaks). I didn't think the Every Line option was functioning but it turns out for that type of change the service had to be restarted. Now set to Every Line (no pattern) and working.

If anyone comes across a similar issue to this (which I imagine is fairly common) change your Event Break to Every Line and restart the splunkd service.
1
 

Author Closing Comment

by:EndTheFed
ID: 41858259
Error on my part. Should have restarted service to be certain.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month7 days, 20 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question