https://community.splunk.com/t5/Splunk-Search/field-extraction-for-error-message/m-p/669966#M229716 <P>I want to extract the&nbsp; following information make it as a field as "error message" .<BR /><BR />index=os source="/var/log/syslog" "*authentication failure*" OR "Generic preauthentication failure"<BR /><BR />Events example :<BR /><BR /><SPAN class="">Nov</SPAN> <SPAN class="">28</SPAN> <SPAN class="">01:02:31</SPAN>&nbsp;server1&nbsp;<SPAN class="">sssd</SPAN><SPAN>[</SPAN><SPAN class="">ldap_child</SPAN><SPAN>[</SPAN><SPAN class="">12010</SPAN><SPAN>]]</SPAN><SPAN class="">:</SPAN> <SPAN class="">Failed</SPAN> <SPAN class="">to</SPAN> <SPAN class="">initialize</SPAN> <SPAN class="">credentials</SPAN> <SPAN class="">using</SPAN> <SPAN class="">keytab</SPAN><SPAN> [</SPAN><SPAN class="">MEMORY:/etc/krb5.keytab</SPAN><SPAN>]</SPAN><SPAN class="">:</SPAN> <SPAN class=""><SPAN class="">Generic</SPAN> <SPAN class="">preauthentication</SPAN> <SPAN class="">failure</SPAN></SPAN><SPAN>. </SPAN><SPAN class="">Unable</SPAN> <SPAN class="">to</SPAN> <SPAN class="">create</SPAN> <SPAN class="">GSSAPI-encrypted</SPAN> <SPAN class="">LDAP</SPAN> <SPAN class="">connection.<BR /><BR />Nov 28 01:02:29&nbsp;server2&nbsp;&nbsp;proxy_child<SPAN>[</SPAN>1939385<SPAN>]</SPAN>: pam_unix<SPAN>(</SPAN>system-auth-ac:auth<SPAN>)</SPAN>: <SPAN class="">authentication failure</SPAN><SPAN>; </SPAN>logname= uid=0 euid=0 tty=ssh ruser= rhost=10.177.46.57 user=hippm<BR /><BR /></SPAN></P> Tue, 28 Nov 2023 06:12:02 GMT Hema_Nithya 2023-11-28T06:12:02Z https://community.splunk.com/t5/Splunk-Search/field-extraction-for-error-message/m-p/669966#M229716 <P>I want to extract the&nbsp; following information make it as a field as "error message" .<BR /><BR />index=os source="/var/log/syslog" "*authentication failure*" OR "Generic preauthentication failure"<BR /><BR />Events example :<BR /><BR /><SPAN class="">Nov</SPAN> <SPAN class="">28</SPAN> <SPAN class="">01:02:31</SPAN>&nbsp;server1&nbsp;<SPAN class="">sssd</SPAN><SPAN>[</SPAN><SPAN class="">ldap_child</SPAN><SPAN>[</SPAN><SPAN class="">12010</SPAN><SPAN>]]</SPAN><SPAN class="">:</SPAN> <SPAN class="">Failed</SPAN> <SPAN class="">to</SPAN> <SPAN class="">initialize</SPAN> <SPAN class="">credentials</SPAN> <SPAN class="">using</SPAN> <SPAN class="">keytab</SPAN><SPAN> [</SPAN><SPAN class="">MEMORY:/etc/krb5.keytab</SPAN><SPAN>]</SPAN><SPAN class="">:</SPAN> <SPAN class=""><SPAN class="">Generic</SPAN> <SPAN class="">preauthentication</SPAN> <SPAN class="">failure</SPAN></SPAN><SPAN>. </SPAN><SPAN class="">Unable</SPAN> <SPAN class="">to</SPAN> <SPAN class="">create</SPAN> <SPAN class="">GSSAPI-encrypted</SPAN> <SPAN class="">LDAP</SPAN> <SPAN class="">connection.<BR /><BR />Nov 28 01:02:29&nbsp;server2&nbsp;&nbsp;proxy_child<SPAN>[</SPAN>1939385<SPAN>]</SPAN>: pam_unix<SPAN>(</SPAN>system-auth-ac:auth<SPAN>)</SPAN>: <SPAN class="">authentication failure</SPAN><SPAN>; </SPAN>logname= uid=0 euid=0 tty=ssh ruser= rhost=10.177.46.57 user=hippm<BR /><BR /></SPAN></P> Tue, 28 Nov 2023 06:12:02 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-for-error-message/m-p/669966#M229716 Hema_Nithya 2023-11-28T06:12:02Z https://community.splunk.com/t5/Splunk-Search/field-extraction-for-error-message/m-p/669980#M229723 <P>What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message</P><P>You could very simply do this</P><LI-CODE lang="markup">| rex "\]:\s(?&lt;error_message&gt;.*)"</LI-CODE><P>which would take everything after the ]: to the end of the event</P> Tue, 28 Nov 2023 07:59:47 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-for-error-message/m-p/669980#M229723 bowesmana 2023-11-28T07:59:47Z