topic Re: How to get a field extraction match up till the first time a string is found? in Splunk Search

How to get a field extraction match up till the first time a string is found?

jeck11 — Thu, 14 Mar 2019 16:42:02 GMT

This is the regex I've come up with so far. Unfortunately, it's either matching too much or not enough. I want it to match everything after "Details: " until the first time "java." is found. Basically, I'm looking for everything in the orange boxes in the example image below.

^Details\:\s(?<Error_Details>.*)\sjava\.\w+\.\w+(\s|\:)

Re: How to get a field extraction match up till the first time a string is found?

richgalloway — Thu, 14 Mar 2019 16:56:10 GMT

It would have been helpful to post the sample strings as text rather than as an image so we could test them in regex101.com.

Have you tried Details\:\s(?<Error_Details>[\s\S]*?)\sjava\.?

Re: How to get a field extraction match up till the first time a string is found?

jeck11 — Thu, 14 Mar 2019 17:51:56 GMT

I kind of see what you did there. The problem wasn't so much after the match as it was inside the match.

Details:\s(?[\s\S]*?)\sjava.\w+.\w+

Thank you very much for your assistance.

Re: How to get a field extraction match up till the first time a string is found?

richgalloway — Thu, 14 Mar 2019 18:50:28 GMT

Is it working now? If so, please accept the answer to help future readers. If not, please say where the answer is lacking.

Re: How to get a field extraction match up till the first time a string is found?

jeck11 — Thu, 14 Mar 2019 18:53:45 GMT

I'm sorry. I had clicked the accept and given the karma points. It's completely working now.