For some reason I have not been able to get a field extraction to work where the end anchor will be a GUID. Basically the events are as follows
Exception=This is the exception - wrong thing here. - 32c18521-1313-41e6-8ff6-1e1fb986a321
What would the field extraction for this look like?
This isn't even working for me
(?i)Exception=(?P[^[0-9a-f]{8}]+)
This works on regex101 using your sample data.
Exception=(?P<exception>.*)(?P<GUID>.{8}-.{4}-.{4}-.{4}-.{12})
Give this a try
(?i)Exception=(?P<Exception>.*)(\s*-+\s*)\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$
This has worked! Thanks. Odd though, When I was changing the field extraction in the manager, then rerunning the query, I was not noticing the extraction. Only when I edited the existing search then ran did it get the correct extractions. Re-pasting the original then also got the extractions.
What exactly do you want extracted from your sample event?
This is what I am attempting to extract
This is the exception - wrong thing here.
Does the exception always end with '.'? We can't stop at an 8-character word or we risk losing part of the exception text.
No it does not always end with a . I want to set the logic to:
Capture everything between Exception= and a GUID, which will always be 8-4-4-4-12 alphanumeric characters.
I know this is totally doable, but I am not able to get splunks version of regex to work.