My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so.
Here is an extract from that long log file of 3 HDDs 1 of which is faulty.
15.5 : DRACKA z159_BHIFIJFOKFO xx01 5538.5GB 512B/sect (P78J4Dk)
15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
15.7 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (PJ5F4Dk)
I need a REX that will extract to a field ONLY the middle line. The REX will be used in field extractor.
Extracted field could be called "failed_disk_error" and the result would be
15.6 : DRACKA z159_BHIFIJFOKFO xx01 6538.5GB 512B/sect (Failed)
↧