https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514517#M144407 <P>Can someone show me what the regex expression for the below extract would be? &amp; can you show me how you arrived to that conclusion, NB i have tried reg101 and Im still confused.</P><P>&nbsp;</P><P>i have tried this expression</P><P>rex field=_raw "ERROR - (?&lt;Error_Message&gt;.+)"</P><P>&nbsp;</P><P>2020-08-17 16:34:02,141 [68618-1397] <U>ERROR NodePoolServlet</U> - [urn:uuid:6144BCB27826B3BECC1597674752077153] Bot Manager can't find a free Bot to execute a robotic task. Please check that Bots with requested capabilties are alive using the Healtcheck API and the Bot Source size in Control Tower is equal to the number of available Bots.</P> Mon, 17 Aug 2020 18:50:20 GMT sphiwee 2020-08-17T18:50:20Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514517#M144407 <P>Can someone show me what the regex expression for the below extract would be? &amp; can you show me how you arrived to that conclusion, NB i have tried reg101 and Im still confused.</P><P>&nbsp;</P><P>i have tried this expression</P><P>rex field=_raw "ERROR - (?&lt;Error_Message&gt;.+)"</P><P>&nbsp;</P><P>2020-08-17 16:34:02,141 [68618-1397] <U>ERROR NodePoolServlet</U> - [urn:uuid:6144BCB27826B3BECC1597674752077153] Bot Manager can't find a free Bot to execute a robotic task. Please check that Bots with requested capabilties are alive using the Healtcheck API and the Bot Source size in Control Tower is equal to the number of available Bots.</P> Mon, 17 Aug 2020 18:50:20 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514517#M144407 sphiwee 2020-08-17T18:50:20Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514519#M144409 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223364">@sphiwee</a>&nbsp;<BR />If I understand correctly, you need the error details in a keyword after the ERROR message.</P><P><SPAN>2020-08-17 16:34:02,141 [68618-1397]&nbsp;</SPAN><U>ERROR <FONT color="#FF6600">NodePoolServlet</FONT></U><FONT color="#FF6600"><SPAN>&nbsp;- [urn:uuid:6144BCB27826B3BECC1597674752077153] Bot Manager can't find a free Bot to execute a robotic task. Please check that Bots with requested capabilties are alive using the Healtcheck API and the Bot Source size in Control Tower is equal to the number of available Bots.<BR /><BR /></SPAN></FONT></P><P><FONT color="#000000"><SPAN>You can use the below regex format to achieve that.</SPAN></FONT></P><LI-CODE lang="markup">&lt;your query&gt;|rex field=_raw "ERROR\s(?&lt;Error_Message&gt;.+)"</LI-CODE><P>&nbsp;</P> Mon, 17 Aug 2020 19:12:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514519#M144409 impurush 2020-08-17T19:12:25Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514520#M144410 <P>The regex you posted extracted nothing from the event posted.</P><P><SPAN>rex field=_raw "ERROR - (?&lt;Error_Message&gt;.+)" to explain your regex.</SPAN></P><P><SPAN>field=_raw - indicates Splunk to look&nbsp; in _raw field for extraction&nbsp;ERROR - (?&lt;Error_Message&gt;.+)</SPAN></P><P><SPAN>The extraction "ERROR - (?&lt;Error_Message&gt;.+)" - first identify&nbsp; ERROR - and value will be extracted after&nbsp;ERROR - till end of line&nbsp; and the value will be kept in Error_Message field.</SPAN></P><P><SPAN>Find below video useful</SPAN></P><P><SPAN><A title="Regular Expressions in Splunk" href="https://www.youtube.com/watch?v=LoiyiCVGLnw&amp;t=634s" target="_self">Regular Expressions in Splunk</A>&nbsp;</SPAN></P> Mon, 17 Aug 2020 19:18:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514520#M144410 thambisetty 2020-08-17T19:18:15Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514539#M144420 <P>no only need this part "<U>ERROR<SPAN>&nbsp;</SPAN><FONT color="#FF6600">NodePoolServlet</FONT></U><FONT color="#FF6600"><SPAN>&nbsp;-"</SPAN></FONT></P> Mon, 17 Aug 2020 21:15:44 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514539#M144420 sphiwee 2020-08-17T21:15:44Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514545#M144421 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223364">@sphiwee</a>&nbsp;<BR /><BR />Use the below one</P><LI-CODE lang="markup">&lt;your query&gt;|rex field=_raw "ERROR\s(?&lt;Error_Message&gt;.+)\-"</LI-CODE> Mon, 17 Aug 2020 21:27:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514545#M144421 impurush 2020-08-17T21:27:03Z https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514547#M144422 <P>rex field=_raw "<FONT color="#FF0000">ERROR</FONT> <FONT color="#FF0000">-</FONT> (?&lt;Error_Message&gt;.+)" is match</P><P>ERROR - &lt;&lt;SOMETHING&gt;&gt;</P><P>&nbsp;</P><P>2020-08-17 16:34:02,141 [68618-1397]<SPAN>&nbsp;</SPAN><U><FONT color="#FF0000"><STRONG>ERROR</STRONG> </FONT>NodePoolServlet</U><SPAN>&nbsp;</SPAN>- [urn:uuid:6144BCB27826B3BECC1597674752077153] Bot Manager can't find a free Bot to execute a robotic task. Please check that Bots with requested capabilties are alive using the Healtcheck API and the Bot Source size in Control Tower is equal to the number of available Bots.</P><P>&nbsp;</P><P>your log does not have -(hyphen) after ERROR. so this can't match.<BR /><BR />"ERROR\s(?&lt;Error_Message&gt;\S+)"</P> Mon, 17 Aug 2020 21:33:20 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Expression-to-find-errors-not-matching/m-p/514547#M144422 to4kawa 2020-08-17T21:33:20Z