Need assistance regex to reformat the field
the field is Message. And the output is
"*Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail"*
when developing the regex to select anything after "Attributes:" i was able to create this rex
"*(?i)Attributes: (?.+)"*
It works in regex101.com and displays this field
the SPLUNK query that i wrote is
"*(base search)||rex field=Message "Attributes: (?.+)*"
but the message field still shows the entire message value.
Any assistance will help
↧