https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599657#M208720 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246273">@spencerneal</a>,</P><P>the request is just a little vague because if in your events you have more lines, you'll have more extractions, is this what you want?</P><P>Otherwise please give more details in extraction and, please, share some sample of your data highlighting the parts to extract.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 28 May 2022 08:59:43 GMT gcusello 2022-05-28T08:59:43Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599641#M208714 <P>Hello,&nbsp;</P> <P>I&nbsp;am trying to figure out how to rex extract from text that starts with a newline and ends with a newline.&nbsp; For example:&nbsp; \\nCAR PRODUCT: bat mobile\n</P> <P>Does anyone know a good way around this situation so that only "bat mobile" is extracted?</P> <P>&nbsp;</P> <P>Thank you for your help.</P> <P>Spencer</P> Tue, 31 May 2022 05:03:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599641#M208714 spencerneal 2022-05-31T05:03:31Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599657#M208720 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246273">@spencerneal</a>,</P><P>the request is just a little vague because if in your events you have more lines, you'll have more extractions, is this what you want?</P><P>Otherwise please give more details in extraction and, please, share some sample of your data highlighting the parts to extract.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 28 May 2022 08:59:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599657#M208720 gcusello 2022-05-28T08:59:43Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599661#M208721 <P><SPAN>Giuseppe,</SPAN></P><P><SPAN>Thank you for your help.</SPAN></P><P><SPAN>I am trying to rex&nbsp;</SPAN>extract "bat mobile" from something similar to the following raw text.</P><P>As you can see there is a newline following "bat mobile". &nbsp;I am having trouble figuring out how to rex "bat mobile" only and not get everything after "bat mobile".&nbsp;</P><P><SPAN>example:&nbsp; \\nDAMAGED PRODUCT: bat mobile\nmail:sneal@gmail.com</SPAN></P><P><SPAN>my current code is: &nbsp;</SPAN></P><P>|rex “DAMAGED PRODUCT:<SPAN class="">&nbsp; </SPAN>(?P&lt;SWN&gt;.+?)"</P><P>However, I don't know what to put after the second parentheses so that rex will only extract "bat mobile".</P><P>I hope my thought makes sense.</P><P>Once again, thank you greatly for your help.</P><P>Spencer</P><P>&nbsp;</P> Sat, 28 May 2022 13:35:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599661#M208721 spencerneal 2022-05-28T13:35:23Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599666#M208723 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246273">@spencerneal</a>,</P><P>as I said, the only way I can help you is that you share some samples (not one!) of your logs: eventually mask sensible contents but don't change the log structure.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 28 May 2022 15:06:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-extract-from-text-that-starts-with-a-newline-and-ends/m-p/599666#M208723 gcusello 2022-05-28T15:06:52Z