Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.
Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
And here is what is being extracted:
I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.
Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?
. operator in regex does not span newlines. Try
| rex field=Message "Message=\"(?<msg>[\s\S]*)".
\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.