Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.
Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden
And here is what is being extracted:
hidden
I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.
Code:
hidden
Hi, @harshparikhxlrd
The .
operator in regex does span newlines with (?s)
option.
| rex field=Message "(?s)Message=\"(?<msg>.*)"
try this.
Hi, @harshparikhxlrd
The .
operator in regex does span newlines with (?s)
option.
| rex field=Message "(?s)Message=\"(?<msg>.*)"
try this.
Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?
The .
operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)"
.
Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?
What is the difference between \s and \S I'm thought those were only used for spacing.
\s
(lower case) is white space.
\S
(upper case) is anything that is not white space.
Put them together and you match anything.