https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18029#M2566 <P>i just want to extract a word "Error" from msg field and keep it in a calculated field.</P> Mon, 29 Apr 2013 11:52:44 GMT ChhayaV 2013-04-29T11:52:44Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18027#M2564 <P>hi,</P> <P>I want to extract a particular word and add it to a calculated field from a message field i have a share point server log</P> <P>sample entries are</P> <PRE><CODE>04/02/2013 00:41:51.82 w3wp.exe (0x2324) 0x1D5C SharePoint Foundation General 8e2r Medium Possible mismatch between the reported error with code = 0x81070504 and message: "There is no Web named "/IndiaAccountsCommunity/IndiaCommunityAccounts/Future Generali/_vti_bin/lists.asmx"." and the returned error with code 0x80070002. 104159c7-12e1-44b6-b4f5-5141ddaf3ea1 04/02/2013 00:35:32.94 OWSTIMER.EXE (0x0758) 0x2CB8 SharePoint Foundation Usage Infrastructure bjb7 High Call to WSS ImportEntries method with '65' entries failed for usage definition 'Microsoft.SharePoint.Administration.SPRequestUsageDefinition'. Entries will now be redirected to ULS logs (level=Verbose). Error message: An entry with the same key already exists. 3bb778c7-24f3-4d54-abcb-20069b71d953 </CODE></PRE> <P>it can be an error or ERROR or Error everything should be extracted as a single field<BR /> tried with regex,rex and eval match not able to do it.</P> <P>thanks in advance</P> Sun, 28 Apr 2013 09:17:04 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18027#M2564 ChhayaV 2013-04-28T09:17:04Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18028#M2565 <P>It is not clear <EM>what</EM> you want to extract. Or how you wish to use/present the results.</P> <P><CODE>regex</CODE> is used for regex-based filtering of events, not for extraction of fields</P> <P><CODE>eval</CODE> requires that the fields you wish to operate on already exists.</P> <P><CODE>rex</CODE> is probably what you want (initially).</P> <P>/K</P> Sun, 28 Apr 2013 12:42:05 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18028#M2565 kristian_kolb 2013-04-28T12:42:05Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18029#M2566 <P>i just want to extract a word "Error" from msg field and keep it in a calculated field.</P> Mon, 29 Apr 2013 11:52:44 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18029#M2566 ChhayaV 2013-04-29T11:52:44Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18030#M2567 <P>What do you mean by calculated in this sense? A field is a field, regardless of how it was created. What calculated field are you talking about, and how do you mean that the error should be "added"?</P> Mon, 29 Apr 2013 12:39:52 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18030#M2567 Ayn 2013-04-29T12:39:52Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18031#M2568 <PRE><CODE>... | eval error=if(match(_raw,"(?i)ERROR"),"error", "OK") | table error _raw </CODE></PRE> <P>Will create a field called error that contains either "error" or "OK" depending if the word "error" is anywhere in the message. This is NOT case sensitive.</P> Mon, 29 Apr 2013 12:53:18 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/18031#M2568 jonuwz 2013-04-29T12:53:18Z