Solved: Field regex behaves differently for "Field extract...

frink · ‎04-28-2011

I've got some log data that has a multi-line event this format:

I've created a regex to pull out the PartNumber field, and it seems to work perfectly when I run it through rex:

... | rex field=_raw "(?m)^SPARAM\|\d*\|PartNumber\|(?<SearchPartNumber>.*)"

Result: "1613034"

When I take the same regex and make it a saved Field extraction, I get the value I want plus everything else to the end of the event.

I've tried adding an optional newline or end of line character to the end of the regex and it doesn't help.

Any thoughts on why this would behave differently and what I can do to fix it?

Thanks.

gkanapathy · ‎04-28-2011

The (?s) option defaults differently.

Use (?m-s)^SPARAM at the beginning, or else (?<SearchPartNumber>\V*) to prevent . from matching across line breaks.

gkanapathy · ‎04-28-2011

The (?s) option defaults differently.

Use (?m-s)^SPARAM at the beginning, or else (?<SearchPartNumber>\V*) to prevent . from matching across line breaks.

frink · ‎04-29-2011

Thanks so much for the prompt response. That fixed it!

Field regex behaves differently for "Field extractions" and for rex