How to use the DOTALL option in a regular expression

tsingara — Sat, 11 Sep 2010 03:45:56 GMT

I'm running a regular expression on a string which runs for 5 or more lines. The first few words on the first line helps me determine if the rest of the sentence is useful for me.

rex "(?P<Application>\w+[a-zA-Z]*) (?P<Message>.*+)" | fields Application, Message | Search Application ="abc"

here I want to display results if my Application equates to "abc" which is at the beginning of my multi-line string, the Message variable has only the characters till the end of the first line, it does return characters from the second or third line

Search String

abc def

ghi

jkl

The Application variable equates "abc" and Message return only "def", but I want it to return "def ghi jkl".

How should the Regular expression be changed to achieve this?

Re: How to use the DOTALL option in a regular expression

ahall_splunk — Tue, 21 Feb 2012 22:23:43 GMT

The correct nomenclature is to add (?ms) on the beginning - the s is dotall, and the m is multi-line. Thus:

rex field=_raw "(?ms)(?P<Application>\w+) (?P<Message>.*+)"

topic How to use the DOTALL option in a regular expression in Splunk Search

How to use the DOTALL option in a regular expression

Re: How to use the DOTALL option in a regular expression