Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Splunk REGEX working perfectly for single line, not detecting multiline

Posted on 2016-10-19
6
Medium Priority
?
114 Views
Last Modified: 2016-10-25
Hello Experts,

I'm running Splunk to grab some live data off a switch and my regular expression is working great when it comes in a single line. However sometimes when the events happen too close together (which is common) the data comes in with multiple lines and the regex then only catches the first line. I googled it and everything I found said to just add (?m) to the beginning but that doesn't seem to be working. Here's a screenshot of the missing data from any more than one received at a time.
splunk-regex.png
0
Comment
Question by:EndTheFed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Terry Woods
ID: 41851465
You could try (?gm) instead of (?m) to try to capture the extra result. Let me know if it works
0
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 2000 total points
ID: 41851513
If that doesn't work, could you please copy and paste your pattern; I have another idea
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 41851578
I'm not familiar with Splunk (my focus is on regex in general, and in other languages), but it appears using the max_match argument could work (with 0 for unlimited):
rex max_match=0 "(?m)^yourpattern"

Open in new window


Details here:
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Rex

You'll still need the (?m) because you want the ^ in your pattern to match the start of each line.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:EndTheFed
ID: 41852454
Thank you for the quick reply! Unfortunately it doesn't look like either of those are working.
When I try (?gm) it fails completely with "Regex: unrecognized character after (? or (?-"
When I tried rex max_match=0 "(?m)^mypattern" I don't get an error on the syntax but it then doesn't match anything, not even the first line. I also tried max_match=1 and max_match=10 just to see what would happen, still nothing.
0
 

Accepted Solution

by:
EndTheFed earned 0 total points
ID: 41852469
Your asking to see my pattern made me go back and check the Event breaks at the Source type and I then realized... it's not set by pattern. Oops. Splunk has three options for event breaks, Auto (which is what it was set to), Every Line, and Regex (where you can specify a pattern for event breaks). I didn't think the Every Line option was functioning but it turns out for that type of change the service had to be restarted. Now set to Every Line (no pattern) and working.

If anyone comes across a similar issue to this (which I imagine is fairly common) change your Event Break to Every Line and restart the splunkd service.
1
 

Author Closing Comment

by:EndTheFed
ID: 41858259
Error on my part. Should have restarted service to be certain.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
How does someone stay on the right and legal side of the hacking world?
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question