https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651100#M225119 <P>I have tried the above query but from that I am getting the whole message I only want to extract the 1 and 2 line .<BR />I have tried this and getting only until successful in the table I want the whole line&nbsp;<SPAN>'until-successful' retries exhausted</SPAN><BR />| rex field=message "(?ms)Message\s+'(?&lt;message&gt;.*?)'"<BR />| table message<BR /><BR /></P> Wed, 19 Jul 2023 09:35:15 GMT avi7326 2023-07-19T09:35:15Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651098#M225117 <P class=""><SPAN>I want to extract the message that is&nbsp;<SPAN class="">'until-successful' retries exhausted from the below logs.<BR />And also a second rex query to extract both message and element and get in the table.<BR />Any Help will be appreciated.</SPAN></SPAN></P><P class=""><SPAN>{&nbsp;</SPAN><A title="Original URL: https://splunkeu.bmwgroup.net/en-US/app/search/search?earliest=-24h%40h&amp;latest=now&amp;q=search%20index%3Dus_whcrm%20%20sourcetype%3D%22bmw-sl-nsp-prd-api%22%20source%3DMuleUSAppLogs%20logger%3Dorg.mule.runtime.core.internal.exception.OnErrorPropagateHandler%0A%7Cdedup%20properties.correlationId&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1689756449.354722_A1AACC25-F417-4F61-B253-89557D014363. Click or tap if you trust this link." href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsplunkeu.bmwgroup.net%2Fen-US%2Fapp%2Fsearch%2Fsearch%3Fearliest%3D-24h%2540h%26latest%3Dnow%26q%3Dsearch%2520index%253Dus_whcrm%2520%2520sourcetype%253D%2522bmw-sl-nsp-prd-api%2522%2520source%253DMuleUSAppLogs%2520logger%253Dorg.mule.runtime.core.internal.exception.OnErrorPropagateHandler%250A%257Cdedup%2520properties.correlationId%26display.page.search.mode%3Dsmart%26dispatch.sample_ratio%3D1%26display.page.search.tab%3Devents%26display.general.type%3Devents%26sid%3D1689756449.354722_A1AACC25-F417-4F61-B253-89557D014363&amp;data=05%7C01%7CAwarshika.Kushwaha%40cognizant.com%7Cc3cdb1fa33b7453da5c908db88362c81%7Cde08c40719b9427d9fe8edf254300ca7%7C0%7C0%7C638253538486990859%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=Fh%2FySSBEOljKCxA54f5s7i%2FXQK8zEhMC%2Ba3h4%2BZ6nMU%3D&amp;reserved=0" target="_blank" rel="noopener noreferrer"><SPAN>[-]</SPAN></A><SPAN><BR />&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><STRONG><SPAN>logger</SPAN></STRONG></SPAN><SPAN class=""><SPAN>:&nbsp;</SPAN></SPAN><SPAN class=""><SPAN>org.mule.runtime.core.internal.exception.OnErrorPropagateHandler</SPAN></SPAN><SPAN><BR />&nbsp;&nbsp;&nbsp;</SPAN><SPAN class=""><STRONG><SPAN>message</SPAN></STRONG></SPAN><SPAN class=""><SPAN>:&nbsp;</SPAN></SPAN></P><P class=""><SPAN class=""><SPAN>********************************************************************************</SPAN></SPAN></P><P class=""><SPAN class=""><SPAN>Message &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: 'until-successful' retries exhausted</SPAN></SPAN></P><P class=""><SPAN class=""><SPAN>&nbsp;Element &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: bmw-sl-nsp-case-readSub_Flow/processors/1 @ bmw-sl-nsp-prd-api:write/bmw-sl-nsp-case-read.xml:88 (Until Successful)</SPAN></SPAN></P><P class=""><SPAN>Element DSL &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: &lt;until-successful maxRetries="${max.retries}" doc:name="Until Successful" doc:id="b76dd101-8752-43aa-ab94-d548b699ea7a" millisBetweenRetries="${time.between.retires.case}"&gt; &lt;http:request method="GET" doc:name="Get Cases" doc:id="b846734d-4ff0-479d-bc21-e112cd9e8919" config-ref="HTTP_Request_configuration" path="${schedular.getcases.target.path}" sendCorrelationId="ALWAYS" correlationId="#[correlationId]"&gt; &lt;http:query-params&gt;&lt;![CDATA[ #[output application/java --- { "startTimestamp" : vars.startTimestamp, "country" : vars.currentCountry, "endTimestamp" : vars.endTimestamp, "businessUnit" : vars.currentBusinessUnit }]</SPAN></P> Wed, 19 Jul 2023 09:00:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651098#M225117 avi7326 2023-07-19T09:00:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651099#M225118 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246450">@avi7326</a>,</P><P>this seems to be a json log, so you can use "INDEXED_EXTRACTIONS =json" at the ingestion or the "spath" command during the search.</P><P>Anyway, you can extract this string also using a regex like the following:</P><LI-CODE lang="markup">| rex "Message\s+:\s+(?&lt;message&gt;.+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/OhTHyC/1" target="_blank">https://regex101.com/r/OhTHyC/1</A></P><P>ciao.</P><P>Giuseppe</P> Wed, 19 Jul 2023 09:24:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651099#M225118 gcusello 2023-07-19T09:24:30Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651100#M225119 <P>I have tried the above query but from that I am getting the whole message I only want to extract the 1 and 2 line .<BR />I have tried this and getting only until successful in the table I want the whole line&nbsp;<SPAN>'until-successful' retries exhausted</SPAN><BR />| rex field=message "(?ms)Message\s+'(?&lt;message&gt;.*?)'"<BR />| table message<BR /><BR /></P> Wed, 19 Jul 2023 09:35:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651100#M225119 avi7326 2023-07-19T09:35:15Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651101#M225120 <P><SPAN>I have tried the above query but from that I am getting the whole message I only want to extract the 1 and 2 line .</SPAN><BR /><SPAN>I have tried this and getting only until successful in the table I want the whole line&nbsp;</SPAN><SPAN>'until-successful' retries exhausted</SPAN><BR /><SPAN>| rex field=message "(?ms)Message\s+'(?&lt;message&gt;.*?)'"</SPAN><BR /><SPAN>| table message</SPAN></P> Wed, 19 Jul 2023 09:56:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651101#M225120 avi7326 2023-07-19T09:56:51Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651120#M225132 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246450">@avi7326</a>,</P><P>let me understand: you want to extract only the logger and message rows in two different fields, is it correct?</P><P>in this case, please try this regex</P><LI-CODE lang="markup">| rex "(?ms)logger:(?&lt;logger&gt;.*)\s*message:\s+(?&lt;message&gt;.*)Message"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/OhTHyC/2" target="_blank">https://regex101.com/r/OhTHyC/2</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 19 Jul 2023 13:04:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-message-from-log-events/m-p/651120#M225132 gcusello 2023-07-19T13:04:23Z