I am indexing multi-line events and would like to exclude events like the following:
2012-12-04 16:29:22.402 Some text failed:
From: ExecuteViewBasedLookupCC::Execute
Type: LogicError
Severity: Critical
Text: (vector (Null-null) 3.60206e+11 )
The rule for excluding events is the text ExecuteViewBasedLookupCC followed by (Null-null). I am using the following regular expression to match this event and redirect it to nullQueue:
REGEX=(?m)^.*ExecuteViewBasedLookupCC(?=.*(Null-null))
However it is not working. Any ideas please?
You need to use the s
modifier as well in order to have the dot match newlines. So (?ms)
You need to use the s
modifier as well in order to have the dot match newlines. So (?ms)
thanks, that worked!