https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470773#M132437 <P>Hi Giuseppe,</P> <P>Thanks after adding it working, could you please let me know the purpose of adding <CODE>(?ms)</CODE> at the beginning of the regex.</P> <P>Regards,<BR /> Naresh</P> Tue, 03 Sep 2019 15:37:26 GMT nareshkumar1985 2019-09-03T15:37:26Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470771#M132435 <P>Hi All,<BR /> I am trying to capture line starting with a number, I have created a regex and tested it in regex101 site and it is working as expected but when I used the same in Splunk using rex it is failing to capture and the result is blank.</P> <P><A href="https://regex101.com/r/OLUh4A/1">https://regex101.com/r/OLUh4A/1</A></P> <P><STRONG>Text:</STRONG></P> <PRE><CODE>Cluster GUID: xxxxxxxxxxxxxxx Sender OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE) Sender Serial Number: xxxxxxx Node 5 Eventgroups ------------------------------------------------------------------------ OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE) Serial Number: xxxxxxxx ------------------------------------------------------------------------ ID Started Sev Message ------------------------------------------------------------------------ 136486 09/02 03:33 I SmartQuotas threshold violation on quota exceeded, domain directory /xx/xxxxxxx/NAM/xxxxx/xxxxxx/Cisco Attachment Manifest: Attached: events-000e1ea5fexxxxxx-xxxxxxxxx.xml quotaexceeded.35738 - events-000e1eaxxxxxxxxdccc983-xxxxxx.xml - quotaexceeded.35738 </CODE></PRE> <P><STRONG>Regex used :</STRONG> <CODE>[\s\S]*(?&lt;ID&gt;^\d{1,})\s(?&lt;time&gt;\d{2}\/\d{2}\s\d{2}:\d{2})\s{1,}(?&lt;sev&gt;\w)\s{1,}(?&lt;message&gt;[\s\S]*)Attachment\sManifest:[\s\S]*</CODE></P> Tue, 03 Sep 2019 15:02:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470771#M132435 nareshkumar1985 2019-09-03T15:02:14Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470772#M132436 <P>Hi nareshkumar1985,<BR /> did you already tried to add <CODE>(?ms)</CODE> at the beginning of your regex?</P> <P>bye.<BR /> Giuseppe</P> Tue, 03 Sep 2019 15:30:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470772#M132436 gcusello 2019-09-03T15:30:03Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470773#M132437 <P>Hi Giuseppe,</P> <P>Thanks after adding it working, could you please let me know the purpose of adding <CODE>(?ms)</CODE> at the beginning of the regex.</P> <P>Regards,<BR /> Naresh</P> Tue, 03 Sep 2019 15:37:26 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470773#M132437 nareshkumar1985 2019-09-03T15:37:26Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470774#M132438 <P>in regex101 there are (on the right of the regex box) the regex options (/gm) that you need to insert in your regex in Splunk.<BR /> Bye.<BR /> Giuseppe</P> Tue, 03 Sep 2019 15:42:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470774#M132438 gcusello 2019-09-03T15:42:51Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470775#M132439 <P>Thank you, Giuseppe</P> Tue, 03 Sep 2019 17:49:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-rex-capture-not-working/m-p/470775#M132439 nareshkumar1985 2019-09-03T17:49:31Z