https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676584#M231383 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252275">@AL3Z</a>&nbsp;,</P><P>Please try below;</P><LI-CODE lang="markup">| rex field=_raw "System\.Exception:\s+(?&lt;system_exception&gt;[^\(\']+)"</LI-CODE> Mon, 05 Feb 2024 13:28:39 GMT scelikok 2024-02-05T13:28:39Z https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676575#M231381 <P>Hi all,</P><P>help me extracting the field from the below two events<BR /><SPAN class="">System.Exception:</SPAN> <SPAN class="">Assertion</SPAN> <SPAN class="">violated:</SPAN> <SPAN class="">stream.ReadByteInto</SPAN><SPAN>(</SPAN><SPAN class="">bufferStream</SPAN><SPAN>) </SPAN><SPAN class="">==</SPAN> <SPAN class="">0x03</SPAN><BR /><SPAN class="">System.Exception:</SPAN> <SPAN class="">An</SPAN> <SPAN class="">error</SPAN> <SPAN class="">was</SPAN> <SPAN class="">encountered</SPAN> <SPAN class="">while</SPAN> <SPAN class="">attempt</SPAN> <SPAN class="">to</SPAN> <SPAN class="">fetch</SPAN> <SPAN class="">proxy</SPAN> <SPAN class="">credentials</SPAN> <SPAN class="">for</SPAN> <SPAN class="">user 'xyz</SPAN></P><P>&nbsp;</P><P>system_exception=<SPAN class="">Assertion</SPAN> <SPAN class="">violated:</SPAN> <SPAN class="">stream.ReadByteInto</SPAN></P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<SPAN class="">An</SPAN> <SPAN class="">error</SPAN> <SPAN class="">was</SPAN> <SPAN class="">encountered</SPAN> <SPAN class="">while</SPAN> <SPAN class="">attempt</SPAN> <SPAN class="">to</SPAN> <SPAN class="">fetch</SPAN> <SPAN class="">proxy</SPAN> <SPAN class="">credentials</SPAN> <SPAN class="">for</SPAN> <SPAN class="">user</SPAN></P><P>thanks</P> Mon, 05 Feb 2024 12:19:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676575#M231381 AL3Z 2024-02-05T12:19:39Z https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676584#M231383 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252275">@AL3Z</a>&nbsp;,</P><P>Please try below;</P><LI-CODE lang="markup">| rex field=_raw "System\.Exception:\s+(?&lt;system_exception&gt;[^\(\']+)"</LI-CODE> Mon, 05 Feb 2024 13:28:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676584#M231383 scelikok 2024-02-05T13:28:39Z https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676589#M231385 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;,</P><P>Can you pls explain this part I didnt understand&nbsp; [^\(\']+)</P> Mon, 05 Feb 2024 14:13:58 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676589#M231385 AL3Z 2024-02-05T14:13:58Z https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676607#M231391 Hi<BR />I match all other characters except ( and ' and there must be at least one or more those with any order and combination.<BR />You can test these e.g. regex101.com.<BR />There is also descriptions what all those anchors etc. are/meaning.<BR />r. Ismo Mon, 05 Feb 2024 15:28:37 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-in-extracting-the-field/m-p/676607#M231391 isoutamo 2024-02-05T15:28:37Z