Solved: How to get a field extraction match up till the fi...

jeck11 · ‎03-14-2019

This is the regex I've come up with so far. Unfortunately, it's either matching too much or not enough. I want it to match everything after "Details: " until the first time "java." is found. Basically, I'm looking for everything in the orange boxes in the example image below.

^Details\:\s(?<Error_Details>.*)\sjava\.\w+\.\w+(\s|\:)

richgalloway · ‎03-14-2019

It would have been helpful to post the sample strings as text rather than as an image so we could test them in regex101.com.

Have you tried Details\:\s(?<Error_Details>[\s\S]*?)\sjava\.?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-14-2019

It would have been helpful to post the sample strings as text rather than as an image so we could test them in regex101.com.

Have you tried Details\:\s(?<Error_Details>[\s\S]*?)\sjava\.?

---
If this reply helps you, Karma would be appreciated.

jeck11 · ‎03-14-2019

I kind of see what you did there. The problem wasn't so much after the match as it was inside the match.

Details:\s(?[\s\S]*?)\sjava.\w+.\w+

Thank you very much for your assistance.

richgalloway · ‎03-14-2019

Is it working now? If so, please accept the answer to help future readers. If not, please say where the answer is lacking.

---
If this reply helps you, Karma would be appreciated.

jeck11 · ‎03-14-2019

I'm sorry. I had clicked the accept and given the karma points. It's completely working now.

How to get a field extraction match up till the first time a string is found?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...