https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602205#M209614 <P>Hi everyone. I am a new user to Splunk.&nbsp;</P><P>Recently, I have met some trouble with trying to extract a certain message out from a field I want. I have a field called Message, which logs the message sent to a web server. However, I only want to retrieve a specific field when the message contains the desired field that I want.&nbsp;</P><P>Example: I want to retrieve the user's name when service is invoked.&nbsp;</P><TABLE border="1" width="44.4439448441247%"><TBODY><TR><TD width="33.333333333333336%" height="25px">Time</TD><TD width="33.333333333333336%" height="25px">Message</TD></TR><TR><TD width="33.333333333333336%" height="69px">2021-05-15T01:51:52.321Z</TD><TD width="33.333333333333336%" height="69px">Session ID 1234 has been created</TD></TR><TR><TD width="33.333333333333336%" height="47px">2021-05-15T01:51:52.321Z</TD><TD width="33.333333333333336%" height="47px">Invoked by user David from IP 127.256.25.16</TD></TR><TR><TD height="25px">2021-05-15T01:51:52.321Z</TD><TD height="25px">Configuration Reading - Start</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Hence, I only want to extract the name David, when that specific message log containing the name appears. Does anyone have any clue how I can extract that field specifically when it appears?</P><P>Thanks in advance.&nbsp;<BR /><BR />EDITED:<BR />Hey Splunk Users,&nbsp;</P><P>If you met the same problem as I did, where the message logs change constantly, do make sure to search for the message you are looking for first, before drilling down for the specific field.&nbsp;</P><P>In my case:<BR />| search Message="Invoked by user *"<BR />| rex field=Message "Invoked by user (?&lt;user&gt;\w+)"</P> Wed, 22 Jun 2022 06:48:36 GMT Michael_Scott 2022-06-22T06:48:36Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602205#M209614 <P>Hi everyone. I am a new user to Splunk.&nbsp;</P><P>Recently, I have met some trouble with trying to extract a certain message out from a field I want. I have a field called Message, which logs the message sent to a web server. However, I only want to retrieve a specific field when the message contains the desired field that I want.&nbsp;</P><P>Example: I want to retrieve the user's name when service is invoked.&nbsp;</P><TABLE border="1" width="44.4439448441247%"><TBODY><TR><TD width="33.333333333333336%" height="25px">Time</TD><TD width="33.333333333333336%" height="25px">Message</TD></TR><TR><TD width="33.333333333333336%" height="69px">2021-05-15T01:51:52.321Z</TD><TD width="33.333333333333336%" height="69px">Session ID 1234 has been created</TD></TR><TR><TD width="33.333333333333336%" height="47px">2021-05-15T01:51:52.321Z</TD><TD width="33.333333333333336%" height="47px">Invoked by user David from IP 127.256.25.16</TD></TR><TR><TD height="25px">2021-05-15T01:51:52.321Z</TD><TD height="25px">Configuration Reading - Start</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Hence, I only want to extract the name David, when that specific message log containing the name appears. Does anyone have any clue how I can extract that field specifically when it appears?</P><P>Thanks in advance.&nbsp;<BR /><BR />EDITED:<BR />Hey Splunk Users,&nbsp;</P><P>If you met the same problem as I did, where the message logs change constantly, do make sure to search for the message you are looking for first, before drilling down for the specific field.&nbsp;</P><P>In my case:<BR />| search Message="Invoked by user *"<BR />| rex field=Message "Invoked by user (?&lt;user&gt;\w+)"</P> Wed, 22 Jun 2022 06:48:36 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602205#M209614 Michael_Scott 2022-06-22T06:48:36Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602206#M209615 <P>Depending on your actual events, this might work</P><LI-CODE lang="markup">| rex "Invoked by user (?&lt;user&gt;.+)"</LI-CODE> Fri, 17 Jun 2022 07:56:57 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602206#M209615 ITWhisperer 2022-06-17T07:56:57Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602207#M209616 <P><SPAN>Well the full message is usually like this:<BR /></SPAN></P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">Message</TD></TR><TR><TD width="100%">Invoked by user David from IP 10.143.235.76</TD></TR></TBODY></TABLE><P><SPAN><BR />I did try to extract the name and the IP Address at the same time, but it still does not extract it as intended.</SPAN></P> Fri, 17 Jun 2022 08:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602207#M209616 Michael_Scott 2022-06-17T08:27:01Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602208#M209617 <P>If the user is just a single word</P><P>&nbsp;</P><LI-CODE lang="markup">| rex field=Message "Invoked by user (?&lt;user&gt;\w+)"</LI-CODE><P>&nbsp;</P> Fri, 17 Jun 2022 08:29:21 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602208#M209617 ITWhisperer 2022-06-17T08:29:21Z https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602742#M209801 <P>Hi there, sorry for getting back to you a bit late.&nbsp;<BR /><BR />I actually had to add another line in my query, which is&nbsp;</P><P>| search Message="Invoked by user *"<BR />| rex field=Message "Invoked by user (?&lt;user&gt;\w+)"</P><P>This will first return the message I'm looking for, and the user in the message. Thanks a lot for the assistance.&nbsp;</P> Wed, 22 Jun 2022 06:49:22 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-a-specific-message-from-a-changing-field/m-p/602742#M209801 Michael_Scott 2022-06-22T06:49:22Z