Extracting number of fields from a multi line event

Question

Hello,

I am trying to extract fields from an event which looks like this (I have multiple events)

total time (ms): 5 
web server processing time (ms/%): 2 40 
transmission time (ms/%): 3 60 
bytes sent/received: 100 200 
start time (ms): 1234 
end time(ms): 2345

some lines have one field, and other have two fields making it impossible for me to extract these numbers. I would like splunk to create two separate fields for the lines which have two parameters but I have not been successful in doing so. Anyone have any idea(s) to get this to work? Or is this not possible. Thanks!

Answer 1

1

You may need to break every line as an event and define two regex like:

REGEX...:(\d+)\s+(\d+) FORMAT=field1::$1 field2::$2

REGEX=...:(\d+) FORMAT=field3::$1

link

answered 23 Jun '10, 02:45

katalinali
80●2●2●11
accept rate: 0%

:( it definitely pulls out a few of the fields but its very redundant and the regexes triggers for all the events giving a lot of garbage fields. Thanks though! This could be useful for other cases

(29 Jun '10, 18:23) hiwell

Extracting number of fields from a multi line event

Follow this question

Splunk Resources

Related questions