Building for the Splunk Platform

Why is rex not extracting all data (limitation on data extraction?)

harshparikhxlrd
Path Finder

Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.

Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden

And here is what is being extracted:

hidden

I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.

Code:

hidden

0 Karma
1 Solution

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

harshparikhxlrd
Path Finder

Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The . operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)".

---
If this reply helps you, Karma would be appreciated.
0 Karma

harshparikhxlrd
Path Finder

Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?

0 Karma

harshparikhxlrd
Path Finder

What is the difference between \s and \S I'm thought those were only used for spacing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...