https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495503#M194576 <P>Hi @Noah_Woodcock </P> <P>Think you have got me wrong.<BR /> I wanted to extract only the very first word that comes before the word error.</P> <P>So in my initial question,I have shared the sample as below.</P> <P>Null.set.error<BR /> Nullerror<BR /> Set-get-error<BR /> Timed out error<BR /> Unknown - error</P> <P>and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.</P> <P>For Example:<BR /> In the below log,<BR /> Could not complete.Reason : Null.set.error</P> <P>The expected is only <STRONG>Null.set</STRONG> but the its extracting me 'Could not complete.Reason : Null.set'</P> Thu, 05 Dec 2019 16:25:15 GMT prettysunshinez 2019-12-05T16:25:15Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495498#M194571 <P>Hi All,<BR /> I require help in extracting the words that appear right before the word.<BR /> Example:<BR /> Null.set.error<BR /> Nullerror<BR /> Set-get-error<BR /> Timed out error<BR /> Unknown - error</P> <P>From the above,the expected result is<BR /> Null.set<BR /> Null<BR /> Set-get<BR /> Timed out<BR /> Unknown</P> <P>Kindly help me with this.</P> <P>Thanks!</P> Sun, 01 Dec 2019 17:39:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495498#M194571 prettysunshinez 2019-12-01T17:39:21Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495499#M194572 <P>Hi prettysunshinez,</P> <P>Based on the provided examples, give this a try:</P> <PRE><CODE>your search here | rex "(?&lt;ThisIsWhatYouWant&gt;.+?)[\s\.-]*error" </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> <P><STRONG>UPDATE</STRONG> After some feedback and new examples the correct regex is:</P> <PRE><CODE> your search here | rex "(?&lt;ThisIsWhatYouWant&gt;[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error" </CODE></PRE> Sun, 01 Dec 2019 20:32:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495499#M194572 MuS 2019-12-01T20:32:31Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495500#M194573 <P>Like this:</P> <PRE><CODE>... | rex ":\s*(?&lt;error_prefix&gt;.*?)[^A-z]+\s+error" </CODE></PRE> Sun, 01 Dec 2019 22:55:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495500#M194573 woodcock 2019-12-01T22:55:37Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495501#M194574 <P>Hi @MuS,<BR /> Thanks for your help.<BR /> This seems to work but this seems to capture all the words that are present before the word error</P> <P>For Example:<BR /> In the below log,<BR /> Could not complete.Reason : Null.set.error </P> <P>The expected is only Null.set but the its extracting me '<STRONG>Could not complete.Reason : Null.set</STRONG>'</P> <P>Likewise for the others also.</P> <P>Could you kindly help.</P> Thu, 05 Dec 2019 15:46:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495501#M194574 prettysunshinez 2019-12-05T15:46:09Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495502#M194575 <P>I updated my answer.</P> Thu, 05 Dec 2019 15:57:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495502#M194575 woodcock 2019-12-05T15:57:01Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495503#M194576 <P>Hi @Noah_Woodcock </P> <P>Think you have got me wrong.<BR /> I wanted to extract only the very first word that comes before the word error.</P> <P>So in my initial question,I have shared the sample as below.</P> <P>Null.set.error<BR /> Nullerror<BR /> Set-get-error<BR /> Timed out error<BR /> Unknown - error</P> <P>and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.</P> <P>For Example:<BR /> In the below log,<BR /> Could not complete.Reason : Null.set.error</P> <P>The expected is only <STRONG>Null.set</STRONG> but the its extracting me 'Could not complete.Reason : Null.set'</P> Thu, 05 Dec 2019 16:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495503#M194576 prettysunshinez 2019-12-05T16:25:15Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495504#M194577 <P>Hi prettysunshinez,</P> <P>well you did not provided that example in your question so my regex was based on what you provided <span class="lia-unicode-emoji" title=":winking_face:">😉</span> But try this regex :</P> <PRE><CODE> "(?&lt;ThisIsWhatYouWant&gt;[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error" </CODE></PRE> <P>this will also match correctly with the new example that you just provided <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>cheers, MuS</P> Thu, 05 Dec 2019 17:46:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495504#M194577 MuS 2019-12-05T17:46:11Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495505#M194578 <P>Hi @MuS <BR /> Thanks! This works fine <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Dec 2019 18:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495505#M194578 prettysunshinez 2019-12-05T18:00:23Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495506#M194579 <P>You're welcome and thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>cheers, MuS</P> Thu, 05 Dec 2019 18:05:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-prefixed-words-from-logs/m-p/495506#M194579 MuS 2019-12-05T18:05:35Z