Solved: Why is the following regex command not terminating...

Log_wrangler · ‎10-15-2018

I have events like this....

<22>2018-10-10T09:38:50.631063-05:00 m0074417 sendmail[16942]: w9AEM7sO030350: to=<thisguy@thatplace.com>

and I want to capture this qid > w9AEM7sO030350

I wrote a regex that worked in regex101 like this...

sendmail+\S+\s(.+)\:\s

and I get just the string I want... but it won't work in Splunk, when I use

index=mail  w9AEM7sO030350 |rex field=_raw "sendmail+\S+\s(?<stitcher>.+)\:" |stats values(stitcher)

or if I use...

index=mail w9AEM7sO030350 |rex field=_raw "sendmail+\S+\s(?<stitcher>.+)\:\s" |stats values(stitcher)

in the events there is a space after the colon, but I cannot get it to stop capturing before the " : ".

Perhaps I am doing this wrong?

Please advise.
Thank you

Log_wrangler · ‎10-15-2018

this seems to work...

 | rex field=_raw "sendmail+\S+\s(?<stitcher>[[:alnum:]]+)\:"  |stats values(stitcher)

Log_wrangler · ‎10-15-2018

this seems to work...

 | rex field=_raw "sendmail+\S+\s(?<stitcher>[[:alnum:]]+)\:"  |stats values(stitcher)

Why is the following regex command not terminating as expected?