There is a potentially rather expensive way to do it. Suppose your raw events are all single lines, you can do something like | eval beginning_of_transaction = mvindex(split(_raw, "
"), 0) ``` use index -1 for end of transaction ```
| rex field=beginning_of_transaction "<your regex>" If the events are not all single line, but there is a distinct string (including newline) to split them without interfering with your regex, this formula can still work. Update: Your title says to exclude. If exclusion is the goal, I assume that you meant to exclude start AND end, not start or end. This can be achieved with | eval middle_of_transaction = mvindex(split(_raw, "
"), 1, -2)
| rex field=middle_of_transaction "<your regex>"
... View more