2018-06-20T00:04:35.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\documents.db
2018-06-20T00:07:16.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:21.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
2018-06-20T00:07:26.000+00:00 (980) WAL Autocheckpointing, name=C:\Program
Files\PriceService\data\store-promotions.db
I have been trying to get my splunk query right in order to split this one event into multiple events but for some reason I cannot get my query right.
I tried to split on newline but the result set comes back unchanged. I understand from reading online I'm supposed to use something on the lines of
myQuery | rex field=_raw "\[(?P<field1>...).*[\r\n]"
Apologies by the way. My regex game is not strong.
I realise that this could simply be done using
myQuery | multikv noheader=t
I hope this helps someone else as I spent a couple hours trying to get the regex right.
EDIT: Fixed command.