https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311883#M93439 <P>Hi,</P> <P>What I mean is that I want to parse all the error messages in my logs into one field called Errors but the regular expressions are different. </P> <P>Examples:<BR /> Error: exceed max iterations, iter 120, count_trial 120<BR /> ERROR setup_acap_venv.sh failed.<BR /> ERROR [ac_analysis.tools.merge_annotations:327]</P> <P>They don't quite all match up so one field extraction won't encompass all of them. Is there a way to have multiple regex that go into one field? Or is there a way to handle this when indexing the data instead of creating a field extraction?</P> Tue, 29 Sep 2020 14:12:15 GMT byu168 2020-09-29T14:12:15Z https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311883#M93439 <P>Hi,</P> <P>What I mean is that I want to parse all the error messages in my logs into one field called Errors but the regular expressions are different. </P> <P>Examples:<BR /> Error: exceed max iterations, iter 120, count_trial 120<BR /> ERROR setup_acap_venv.sh failed.<BR /> ERROR [ac_analysis.tools.merge_annotations:327]</P> <P>They don't quite all match up so one field extraction won't encompass all of them. Is there a way to have multiple regex that go into one field? Or is there a way to handle this when indexing the data instead of creating a field extraction?</P> Tue, 29 Sep 2020 14:12:15 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311883#M93439 byu168 2020-09-29T14:12:15Z https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311884#M93440 <P>Yes, you can definitely have multiple field extractions in to the same field.</P> <P>props.conf</P> <PRE><CODE>[&lt;sourcetype&gt;] REPORT-yourfield = yourfield1,yourfield2,yourfield3 </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[yourfield1] REGEX = (?&lt;yourfield&gt;blahblahblah) [yourfield2] REGEX = (?&lt;yourfield&gt;moreblahmoreblah) [yourfield3] REGEX = (?&lt;yourfield&gt;evenmoreblah) </CODE></PRE> Thu, 25 May 2017 18:46:15 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311884#M93440 micahkemp 2017-05-25T18:46:15Z https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311885#M93441 <P>One field extract should work, especially if your logs all lead with 'error' string prefix. Simple extraction based on your sample events:</P> <P><CODE>(?i)error[\s:]+(?.*) OR (?i)error[^\w]+(?.*(?\]|\.))</CODE></P> <P>The first one being the more simple/straightforward of the two, with the latter aiming to clean up the extracted data if you are so inclined.</P> <P><CODE>perl -ne 'print $1.$/ if /error[^\w]+(.*(?&lt;!\]|\.))/i' re_sample</CODE><BR /> <CODE>exceed max iterations, iter 120, count_trial 120</CODE><BR /> <CODE>setup_acap_venv.sh failed</CODE></P> <H2><CODE>ac_analysis.tools.merge_annotations:327</CODE></H2> <P>Joe</P> Thu, 25 May 2017 19:06:04 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311885#M93441 jwalbert 2017-05-25T19:06:04Z https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311886#M93442 <P>Yes, you can do this in the CLI by piping to a series of <CODE>regex</CODE> commands back-to-back with the same capture name. The last successful one will win but none of the unsuccessful ones will damage a previously successful field value creation.</P> Thu, 25 May 2017 19:08:34 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311886#M93442 woodcock 2017-05-25T19:08:34Z https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311887#M93443 <P>Thanks! Worked perfectly</P> Thu, 25 May 2017 21:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-regex-in-a-field-extraction/m-p/311887#M93443 byu168 2017-05-25T21:33:56Z