Developing for Splunk Enterprise

Why is rex not extracting all data (limitation on data extraction?)

harshparikhxlrd
Path Finder

Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.

Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden

And here is what is being extracted:

hidden

I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.

Code:

hidden

0 Karma
1 Solution

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

harshparikhxlrd
Path Finder

Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The . operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)".

---
If this reply helps you, an upvote would be appreciated.
0 Karma

harshparikhxlrd
Path Finder

Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?

0 Karma

harshparikhxlrd
Path Finder

What is the difference between \s and \S I'm thought those were only used for spacing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!