string used in the search rex "(?i) Message= (?P[^.]+)"
Event log form where im trying to extract "Message=The Windows Management Instrumentation service entered the running state"
Be careful of extra spaces in your rex string. Also, the '(?i)' is unnecessary.
View solution in original post
For better/future reference, Use Interactive Field Extractor http://www.splunk.com/view/SP-CAAADUY
Splunk, makes life's easy :).
It worked after removing the extra space. thanks so much! Wish you a happy new year!
