https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-specific-error-message-from-the-raw-output/m-p/636564#M221074 <P>I am using the below cluster search&nbsp;</P> <P>| cluster t=0.1 showcount=t countfield=no_of_events | table _time,no_of_events _raw | sort -no_of_events | dedup no_of_events</P> <P>in the output iam getting the entire raw message as in the table. however, i want to show only the error message.</P> <P>Is there any way to extract only specific messages instead of full raw message</P> <P>&nbsp;</P> Thu, 30 Mar 2023 07:35:31 GMT Sudharsanan27 2023-03-30T07:35:31Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-specific-error-message-from-the-raw-output/m-p/636564#M221074 <P>I am using the below cluster search&nbsp;</P> <P>| cluster t=0.1 showcount=t countfield=no_of_events | table _time,no_of_events _raw | sort -no_of_events | dedup no_of_events</P> <P>in the output iam getting the entire raw message as in the table. however, i want to show only the error message.</P> <P>Is there any way to extract only specific messages instead of full raw message</P> <P>&nbsp;</P> Thu, 30 Mar 2023 07:35:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-specific-error-message-from-the-raw-output/m-p/636564#M221074 Sudharsanan27 2023-03-30T07:35:31Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-specific-error-message-from-the-raw-output/m-p/636567#M221076 <P>That very much depends on the difference between raw message and the error message you are looking for. &nbsp;The whole point of Splunk in my view is the freedom to extract any token into data field. &nbsp;But you have to show what raw message contains and which part you consider an error message. (Anonymize as needed.)</P> Wed, 29 Mar 2023 18:27:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-receiving-specific-error-message-from-the-raw-output/m-p/636567#M221076 yuanliu 2023-03-29T18:27:25Z