I'm running a regular expression on a string which runs for 5 or more lines. The first few words on the first line helps me determine if the rest of the sentence is useful for me.
rex "(?P<Application>\w+[a-zA-Z]*) (?P<Message>.*+)" | fields Application, Message | Search Application ="abc"
here I want to display results if my Application equates to "abc" which is at the beginning of my multi-line string, the Message variable has only the characters till the end of the first line, it does return characters from the second or third line
Search String
abc def
ghi
jkl
The Application variable equates "abc" and Message return only "def", but I want it to return "def ghi jkl".
How should the Regular expression be changed to achieve this?
The correct nomenclature is to add (?ms) on the beginning - the s is dotall, and the m is multi-line. Thus:
rex field=_raw "(?ms)(?P<Application>\w+) (?P<Message>.*+)"
The correct nomenclature is to add (?ms) on the beginning - the s is dotall, and the m is multi-line. Thus:
rex field=_raw "(?ms)(?P<Application>\w+) (?P<Message>.*+)"