Hi All,
I am trying to capture line starting with a number, I have created a regex and tested it in regex101 site and it is working as expected but when I used the same in Splunk using rex it is failing to capture and the result is blank.
https://regex101.com/r/OLUh4A/1
Text:
Cluster GUID: xxxxxxxxxxxxxxx
Sender OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE)
Sender Serial Number: xxxxxxx
Node 5 Eventgroups
------------------------------------------------------------------------
OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE)
Serial Number: xxxxxxxx
------------------------------------------------------------------------
ID Started Sev Message
------------------------------------------------------------------------
136486 09/02 03:33 I SmartQuotas threshold violation on quota exceeded,
domain directory /xx/xxxxxxx/NAM/xxxxx/xxxxxx/Cisco
Attachment Manifest:
Attached:
events-000e1ea5fexxxxxx-xxxxxxxxx.xml
quotaexceeded.35738
- events-000e1eaxxxxxxxxdccc983-xxxxxx.xml -
quotaexceeded.35738
Regex used : [\s\S]*(?<ID>^\d{1,})\s(?<time>\d{2}\/\d{2}\s\d{2}:\d{2})\s{1,}(?<sev>\w)\s{1,}(?<message>[\s\S]*)Attachment\sManifest:[\s\S]*
