https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545126#M37429 <P>Try this:</P><LI-CODE lang="markup">| rex "(?&lt;message&gt;message=[^\n]+)"</LI-CODE> Wed, 24 Mar 2021 13:11:10 GMT manjunathmeti 2021-03-24T13:11:10Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545113#M37424 <P>Hi Everyone,</P><P>How can I extract the Below word <SPAN class="t"><SPAN class="t a"><STRONG>OutOfMemoryErro</STRONG>r&nbsp;</SPAN></SPAN>from the splunk losg</P><P><SPAN class="t">2021-03-24T09:01:32.357185211Z</SPAN> <SPAN class="t">app_name=dgfassetmutation</SPAN> <SPAN class="t">environment=e1</SPAN> <SPAN class="t">ns=blazepsfsubscribememsql-c2</SPAN> <SPAN class="t">pod_container=dgfassetmutation</SPAN> <SPAN class="t">pod_name=dgfassetmutation-deployment-3-p24np</SPAN> <SPAN class="t">stream=stdout</SPAN> <SPAN class="t">message=Terminating</SPAN> <SPAN class="t">due</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">java.lang.<SPAN class="t a"><STRONG>OutOfMemoryErro</STRONG>r</SPAN>:</SPAN> <SPAN class="t">Metaspace</SPAN></P><P>&nbsp;</P><P><SPAN>2021-03-03T12:45:30.036179788Z</SPAN> <SPAN>app_name=pulldataoneforce</SPAN> <SPAN>environment=e1</SPAN> <SPAN>ns=blazepsfpublish</SPAN> <SPAN>pod_container=pulldataoneforce</SPAN> <SPAN>pod_name=pulldataoneforce-deployment-175-kv9tv</SPAN> <SPAN>stream=stdout</SPAN> message=Caused by: java.lang.<STRONG>OutOfMemoryError</STRONG>: unable to create new native thread</P><P>Thanks in advance</P><P><SPAN>&nbsp;</SPAN></P> Wed, 24 Mar 2021 12:13:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545113#M37424 aditsss 2021-03-24T12:13:35Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545116#M37425 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225066">@aditsss</a>,<BR />Try this, highlighted values will be part of field&nbsp;<STRONG>error</STRONG>.</P><LI-CODE lang="markup">| rex "java\.lang\.(?&lt;error&gt;\w+)\:\s(?&lt;error_msg&gt;[^\n]+)"</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P><P>&nbsp;</P> Wed, 24 Mar 2021 12:21:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545116#M37425 manjunathmeti 2021-03-24T12:21:01Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545123#M37428 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;</P><P>I want to show the complete error message (The highlighted one)</P><P><SPAN class="t">2021-03-24T09:01:32.357185211Z</SPAN> <SPAN class="t">app_name=dgfassetmutation</SPAN> <SPAN class="t">environment=e1</SPAN> <SPAN class="t">ns=blazepsfsubscribememsql-c2</SPAN> <SPAN class="t">pod_container=dgfassetmutation</SPAN> <SPAN class="t">pod_name=dgfassetmutation-deployment-3-p24np</SPAN> <SPAN class="t">stream=stdout</SPAN> <STRONG><SPAN class="t">message=Terminating</SPAN> <SPAN class="t">due</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">java.lang.<SPAN class="t a">OutOfMemoryError</SPAN>:</SPAN> <SPAN class="t">Metaspace</SPAN></STRONG></P><P>&nbsp;</P><P><SPAN>2021-03-03T12:45:30.036179788Z</SPAN> <SPAN>app_name=pulldataoneforce</SPAN> <SPAN>environment=e1</SPAN> <SPAN>ns=blazepsfpublish</SPAN> <SPAN>pod_container=pulldataoneforce</SPAN> <SPAN>pod_name=pulldataoneforce-deployment-175-kv9tv</SPAN> <SPAN>stream=stdout</SPAN> <SPAN><STRONG>message=Caused</STRONG></SPAN><STRONG> <SPAN>by:</SPAN> <SPAN>java.lang.</SPAN></STRONG><SPAN><STRONG>OutOfMemoryError</STRONG></SPAN><SPAN><STRONG>:</STRONG></SPAN><STRONG> <SPAN>unable</SPAN> <SPAN>to</SPAN> <SPAN>create</SPAN> <SPAN>new</SPAN> <SPAN>native</SPAN> <SPAN>thread</SPAN></STRONG></P><P><SPAN>&nbsp;How can I extract the complete message</SPAN></P> Wed, 24 Mar 2021 13:05:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545123#M37428 aditsss 2021-03-24T13:05:43Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545126#M37429 <P>Try this:</P><LI-CODE lang="markup">| rex "(?&lt;message&gt;message=[^\n]+)"</LI-CODE> Wed, 24 Mar 2021 13:11:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545126#M37429 manjunathmeti 2021-03-24T13:11:10Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545133#M37431 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;</P><P>Its working fine but I want to remove<STRONG> message=</STRONG> part. Currently its coming like this:</P><P><SPAN>message=Caused by: java.lang.NullPointerException: null</SPAN></P><P><SPAN>I want it to show like this:</SPAN></P><P><SPAN>Caused by: java.lang.NullPointerException: null</SPAN></P><P><SPAN>How can I achieve this</SPAN></P> Wed, 24 Mar 2021 13:36:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545133#M37431 aditsss 2021-03-24T13:36:27Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545134#M37432 <P>You put message= outside group capture.</P><LI-CODE lang="markup">| rex "message=(?&lt;message&gt;[^\n]+)"</LI-CODE> Wed, 24 Mar 2021 13:37:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-Extract-the-field-from-Splunk-Logs/m-p/545134#M37432 manjunathmeti 2021-03-24T13:37:52Z