https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220834#M64888 <P>Good stuff!</P> Fri, 22 Apr 2016 20:22:24 GMT ktugwell_splunk 2016-04-22T20:22:24Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220829#M64883 <P>Hi, banging my head...</P> <PRE><CODE>04/22/2016 09:23:50,865 - ERROR - exception occurred --- FOO BAR Severity: Error Message: Timeout expired. MachineName: MY MACHINE 04/22/2016 09:23:56,318 - ERROR - exception occurred --- System.Data.SqlClient.SqlException: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) </CODE></PRE> <P>I have a single log file that contains the two formats. What I want to do is if the entry has "Message:", then make this the extracted field ErrorMessage, Else If the entry have "ERROR" then, make this the extracted field ErrorMessage.</P> <P>(?:Message:)|(?:ERROR -)|\s+(?P(?:[^\n]*)) this is the regex I started with and modified with few things and I still can't get it right. </P> <P>Help appreciated.</P> <P>Thank you,</P> <P>Chris</P> Fri, 22 Apr 2016 18:50:02 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220829#M64883 chrisboy68 2016-04-22T18:50:02Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220830#M64884 <P>You could do 2 field extractions both producing the same field name <CODE>ErrorMessage</CODE></P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] EXTRACT-1 = Message:\s+(?&lt;ErrorMessage&gt;[A-Za-z0-9 ]+) EXTRACT-2 = \d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2},\d{3}\s-\sERROR\s-\s(?&lt;ErrorMessage&gt;.+) </CODE></PRE> <P>That regex isn't the best in the world but you can keep tweaking it to suit your needs</P> <P>Be sure to add all the possible characters you may see after "Message:" in this part of the regex <CODE>[A-Za-z0-9 ]</CODE></P> Fri, 22 Apr 2016 19:04:08 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220830#M64884 ktugwell_splunk 2016-04-22T19:04:08Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220831#M64885 <P>Thanks, but wouldn't that still execute both EXTRACTs? I just want One or the Other.</P> <P>Chris</P> Fri, 22 Apr 2016 19:09:26 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220831#M64885 chrisboy68 2016-04-22T19:09:26Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220832#M64886 <P>Give it a try, I may be wrong, but I think you'll only only see EXTRACT-2 as ErrorMessage if EXTRACT-1 doesn't exist. Either that or it'll create a multi value field.</P> Fri, 22 Apr 2016 19:17:21 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220832#M64886 ktugwell_splunk 2016-04-22T19:17:21Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220833#M64887 <P>Thanks. You look to be correct! Its working.</P> <P>Chris</P> Fri, 22 Apr 2016 20:20:40 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220833#M64887 chrisboy68 2016-04-22T20:20:40Z https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220834#M64888 <P>Good stuff!</P> Fri, 22 Apr 2016 20:22:24 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-to-Find-First-Match-of-OR/m-p/220834#M64888 ktugwell_splunk 2016-04-22T20:22:24Z