Hi @RSS_STT
It is breaking because it is treating the double quotes as the end of the string. Is Message=* the last part of your event, or is there more text after the message?
If its always the last part of the event then you could use the following rex command to create a new "fullMessage" field:
| rex field=_raw "Message\=\"(?<fullMessage>.+)\"$" See screenshot of an example:
| windbag | head 1
| eval _raw="User=testing Message=\" | RO76 | PXS (XITI) - Server - Windows Server Down Critical | Server \"RO76 is currently down / unreachable.\""
| rex field=_raw "Message\=\"(?<fullMessage>.+)\"$"
| table _time fullMessage🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Hi @RSS_STT
It is breaking because it is treating the double quotes as the end of the string. Is Message=* the last part of your event, or is there more text after the message?
If its always the last part of the event then you could use the following rex command to create a new "fullMessage" field:
| rex field=_raw "Message\=\"(?<fullMessage>.+)\"$" See screenshot of an example:
| windbag | head 1
| eval _raw="User=testing Message=\" | RO76 | PXS (XITI) - Server - Windows Server Down Critical | Server \"RO76 is currently down / unreachable.\""
| rex field=_raw "Message\=\"(?<fullMessage>.+)\"$"
| table _time fullMessage🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
