Solved: Why is rex not extracting all data (limitation on ...

harshparikhxlrd · ‎01-15-2020

Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.

Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden

And here is what is being extracted:

hidden

I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.

Code:

hidden

to4kawa · ‎01-15-2020

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

to4kawa · ‎01-15-2020

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

harshparikhxlrd · ‎01-15-2020

Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?

richgalloway · ‎01-15-2020

The . operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)".

---
If this reply helps you, Karma would be appreciated.

harshparikhxlrd · ‎01-15-2020

Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?

harshparikhxlrd · ‎01-15-2020

What is the difference between \s and \S I'm thought those were only used for spacing.

richgalloway · ‎01-15-2020

\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.

---
If this reply helps you, Karma would be appreciated.

Why is rex not extracting all data (limitation on data extraction?)

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk