Solved: Field extraction, string after last colon

indeed_2000 · ‎06-28-2020

I have log file like this,want with regex extract everything after last colon in each line

input:

2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053: Could not commit.

2020-06-28 14:24:41,322 ERROR In--111111[Processor] FATAL: exception in process: [GG_010] Failed >> 0060: required to perform this operation (extended persistence context).

2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053:Could not update.

2020-06-28 12:08:21,777 ERROR in-app-9999999 [Service] authorize: org.closed.PropertyAccessException: Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity.

2020-06-28 15:03:32,710 ERROR In: Could not commit.

2020-06-28 15:03:32,: 71::0 :ERROR :In: not commit.

output:

Could not commit

required to perform this operation (extended persistence context)

Could not update

Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity.

Could not commit.

not commit.

Thanks

isoutamo · ‎06-28-2020

You could try this:
| rex field=_raw ".*:(?<message>[^:]+)"
r. Ismo

View solution in original post

isoutamo · ‎06-28-2020

You could try this:
| rex field=_raw ".*:(?<message>[^:]+)"
r. Ismo

Field extraction, string after last colon

administration

troubleshooting

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation