Building for the Splunk Platform

Why is rex not extracting all data (limitation on data extraction?)

harshparikhxlrd
Path Finder

Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.

Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden

And here is what is being extracted:

hidden

I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.

Code:

hidden

0 Karma
1 Solution

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

harshparikhxlrd
Path Finder

Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The . operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)".

---
If this reply helps you, Karma would be appreciated.
0 Karma

harshparikhxlrd
Path Finder

Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?

0 Karma

harshparikhxlrd
Path Finder

What is the difference between \s and \S I'm thought those were only used for spacing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...