I have a multi line event in Splunk that looks like this:
{"log":"text 1\n","stream":"stdout","time":"2022-09-12T10:06:27.318327863Z"}
{"log":"text 2\n","stream":"stdout","time":"2022-09-12T10:06:28.318327863Z"}
{"log":"text 3\n","stream":"stdout","time":"2022-09-12T10:06:29.318327863Z"}
splunk shows log as
log: text 1
and ignores other lines. I need a field that says for example:
log_sample: text 1
text 2
text 3
I'm not a Splunk admin so I can not change the config of Splunk. What I need is kind of a regex function so that I can manipulate the event. I tried this pipeline:
...| rex max_match=0 field=_raw "(?<lineData>zone.*?mark=(\},|\}\s+\]))" | mvexpand lineData
but it was not working (I found it on the internet)
This is an example of why one should not copy code from the Internet without understanding what it does. The regular expression used in the rex command is for a completely different target string. You need to modify the regex to match your data.
Try this, instead.
| rex max_match=0 "log\\\":\\\"(?<text>[^\\\"]+)" | mvexpand text