https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535984#M89867 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93912">@Nidd</a>,</P><P>let me understand: what's the&nbsp;ErrorMessage you're serching for:</P><UL><LI>all after "ErrorMessage=",</LI><LI>all until ":" one time,</LI><LI>all until ":" many times.</LI></UL><P>In the first case the regex it's easy:</P><LI-CODE lang="markup">ErrorMessage\=\s+(?&lt;ErrorMessage&gt;.*)</LI-CODE><P>and you can test it at&nbsp;<A href="https://regex101.com/r/7hAGRj/1" target="_blank">https://regex101.com/r/7hAGRj/1</A></P><P>The second is similat to your:</P><LI-CODE lang="markup">ErrorMessage\=\s+(?&lt;ErrorMessage&gt;[^:]*)</LI-CODE><P>and you can test it at&nbsp;<A href="https://regex101.com/r/7hAGRj/2" target="_blank">https://regex101.com/r/7hAGRj/2</A></P><P>the third requires two extractions:</P><LI-CODE lang="markup">| rex "ErrorMessage\=\s+(?&lt;FullErrorMessage&gt;.*)" | rex field=FullErrorMessage "(?&lt;ErrorMessage&gt;[^:$]*)(:|$)"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 15 Jan 2021 10:54:39 GMT gcusello 2021-01-15T10:54:39Z https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535977#M89866 <P>I have the following log:</P><P>&nbsp;</P><LI-CODE lang="markup">Number=Test1,Code=DPCA , ErrorMessage= sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'm trying to pull ErrorMessage from the log through regex but in vain. The field is not getting extracted. Below is the regex I'm using. Am I missing something? Please help.</P><P>&nbsp;</P><LI-CODE lang="markup">rex "^(?:(?&amp;lt;ErrorMessage&amp;gt;[^,]*),){3}"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 15 Jan 2021 10:30:31 GMT https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535977#M89866 Nidd 2021-01-15T10:30:31Z https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535984#M89867 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93912">@Nidd</a>,</P><P>let me understand: what's the&nbsp;ErrorMessage you're serching for:</P><UL><LI>all after "ErrorMessage=",</LI><LI>all until ":" one time,</LI><LI>all until ":" many times.</LI></UL><P>In the first case the regex it's easy:</P><LI-CODE lang="markup">ErrorMessage\=\s+(?&lt;ErrorMessage&gt;.*)</LI-CODE><P>and you can test it at&nbsp;<A href="https://regex101.com/r/7hAGRj/1" target="_blank">https://regex101.com/r/7hAGRj/1</A></P><P>The second is similat to your:</P><LI-CODE lang="markup">ErrorMessage\=\s+(?&lt;ErrorMessage&gt;[^:]*)</LI-CODE><P>and you can test it at&nbsp;<A href="https://regex101.com/r/7hAGRj/2" target="_blank">https://regex101.com/r/7hAGRj/2</A></P><P>the third requires two extractions:</P><LI-CODE lang="markup">| rex "ErrorMessage\=\s+(?&lt;FullErrorMessage&gt;.*)" | rex field=FullErrorMessage "(?&lt;ErrorMessage&gt;[^:$]*)(:|$)"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 15 Jan 2021 10:54:39 GMT https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535984#M89867 gcusello 2021-01-15T10:54:39Z https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535987#M89869 <P>Thank you very much <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;! That worked ! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 Jan 2021 11:12:17 GMT https://community.splunk.com/t5/Getting-Data-In/Pull-a-field-through-regex/m-p/535987#M89869 Nidd 2021-01-15T11:12:17Z