Anyone run across anything like this? Adding a linebreak breaking existing regex...
To address some issues around multiline events this linebreaker was added...
LINE_BREAKER= ([\r\n]+)\d+:\d+:\d+,\d+\s
After the change, this regex stopped working...
Correlation ID for exception is\[.*\]\n(?P<EXCEPTION_NEW>[^\n=@,0-9]+)
Log sample NOT working now...
12:48:15,778 [AWT-EventQueue-0] ERROR com.ui.exceptionhandler.DefaultExceptionHandler - Correlation ID for exception is[CAPPC28-154f-31dc7a1-0000]
java.lang.IllegalStateException: Cannot cancel an already completed Transaction
at com..session.DomainTransaction.cancel(DomainTransaction.java:79)
Log sample working pre change
08:06:05,983 [AWT-EventQueue-0] ERROR com.ui.exceptionhandler.DefaultExceptionHandler - Correlation ID for exception is[CAPPC168-154e-cf4dd61-0002]
java.lang.IllegalStateException: Cannot cancel an already completed Transaction
at com.session.DomainTransaction.cancel(DomainTransaction.java:79)
Above look the same to me except for unique ID and both samples work in regex101.com, but now broken in Splunk.
Thoughts, suggestions welcome.
Addition of linebreaker seems like it added whitespace around linebreaks. This is what I did...
OLD REX: Correlation ID for exception is\[.*\]\n(?P[^\n,=,@,0-9]+)
NEW REX: Correlation ID for exception is\[.*?\][\r\n\s]+(?P.*?[^0-9\n\r\t=@]+)
Addition of linebreaker seems like it added whitespace around linebreaks. This is what I did...
OLD REX: Correlation ID for exception is\[.*\]\n(?P[^\n,=,@,0-9]+)
NEW REX: Correlation ID for exception is\[.*?\][\r\n\s]+(?P.*?[^0-9\n\r\t=@]+)
What was the old line breaker? Is the regex being used at index time or search time?