Hi Team, Could someone help me with the field extraction for the below complex data(1000 lines of data I concised to 10 lines of data ) : columns to be extracted are statement_text , cnt, total_reads, total_writes, db_name statement_text="insert into #pt_queryhistory_time ( [sample_time],command_id,cnt,total_time,[db_name],sqlhandle,hash_char) select top 500 [sample_time] = convert(smalldatetime,'2021-09-27 18:55:00'), total_time = qs.total_elapsed_time/1000, avg_cpu = case when qs.execution_count = 0 then 0 else qs.total_worker_time/qs.execution_count/1000 end, db_name = case convert(int, pa.value) when null then '--unknown--' when 0 then '--unknown--' when 32767 then 'Resource' else db_name(convert(int, pa.value)) end, [db_id] = coalesce(convert(int, pa.value),0), hash_char = '' from sys.db_stats (nolock) as qs cross apply sys.dm_exec_plan_attributes(qs.plan_handle)as pa where pa.attribute = N'dbid' and isnull(convert(int,pa.value),0) = 8 order by qs.total_elapsed_time desc", cnt="1", total_reads="1888", total_writes="29", avg_writes="29",db_name="db1" I couldn't able to extract the statement_text column completely and the remaining columns are working fine index="index" source="source1"| rex field=_raw "statement_text\=\"(?<statement_text>[@ ( ) $ . , \"A-Z ! ^ | \" - _ : { } A-Z a-z _ 0-9]+]+)\"" | rex field=_raw "cnt\=\"(?<cnt>[0-9]+)\"" | rex field=_raw "diff_reads\=\"(?<diff_reads>[0-9]+)\""| rex field=_raw "total_writes\=\"(?<total_writes>[0-9]+)\"" | rex field=_raw "db_name\=\"(?<db_name>[A-Z a-z _ 0-9]+)\"" Please provide me rex for statement_text column where the data can be extracted till the 2nd column "cnt"
... View more