Splunk Dev

Why is rex not extracting all data (limitation on data extraction?)

harshparikhxlrd
Path Finder

Hello, I am using a rex to extract data. It ends up extracting only a portion of the data, but not all of it.

Here is what is supposed to be extracted: Everything after Message equals highlighted in yellow. The 4 "at"'s aren't be extracted.
hidden

And here is what is being extracted:

hidden

I'm not sure if it is a limitation on splunk or not on how many characters can be extracted.

Code:

hidden

0 Karma
1 Solution

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

View solution in original post

to4kawa
Ultra Champion

Hi, @harshparikhxlrd
The . operator in regex does span newlines with (?s) option.

| rex field=Message "(?s)Message=\"(?<msg>.*)"

try this.

reference

harshparikhxlrd
Path Finder

Yours works too. And oh, okay. So, . operator does support new lines. So, do you know what the \s\S on the previous post was? Or why you need both of them for that query?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The . operator in regex does not span newlines. Try | rex field=Message "Message=\"(?<msg>[\s\S]*)".

---
If this reply helps you, Karma would be appreciated.
0 Karma

harshparikhxlrd
Path Finder

Oh. I didn't realize that . operator did not reference new lines. So, this command you gave me essentially just considers new lines/spaces. The \s/S?

0 Karma

harshparikhxlrd
Path Finder

What is the difference between \s and \S I'm thought those were only used for spacing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

\s (lower case) is white space.
\S (upper case) is anything that is not white space.
Put them together and you match anything.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...