Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract my field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write regex to extract my field?
Hi, i'm try using the interactive field extractor tools create a field for this
"Exception Message"="Thread was being aborted."
but getting following error "The generated regex was unable to match all examples (e.g., =, Thread was being aborted., Exception Message). Consider entering different examples, or manually editing the regex."
any suggestion a regex syntax or how to auto detect the field it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're asking about extracting the field name along with the field value, you can do that with a combination of props.conf and transforms.conf:
props.conf
[your_sourcetype]
REPORT-kv = extract_quoted_fields
...
transforms.conf
[extract_quoted_fields]
REGEX = "(?<_KEY_1>([^"]|\\")+)"\s*=\s*"(?<_VAL_1>([^"]|\\")+)"
Make sure my Q'n'D regex actually suits your data, didn't test it myself. The main thing is to use the magic _KEY_x and _VAL_x names to extract both field names and field values in one swoop.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Search time
your base search | rex field=_raw "\"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\""
In Props.conf
EXTRACT-exceptionmsg = \"Exception Message\"=\"(?<ExceptionMessage>[^\"]*)\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
works great, but how to setup it up so that splunk automatic recognize fields based on
"Exception Message"="*"
for example splunk recognize this Source=OAA.Security.PassiveSTS.Shell automatic assigning "Source" as the field,
thank-you for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Exception Message"="Thread was being aborted.", Source=OAA.Security.PassiveSTS.Shell, TargetSite="Void SignOutRequest()", WindowsIdentity="IIS APPPOOL\Test.com"
Above is the logs, but splunk auto assign the field to "Source" ,"TargetSite" and "WindowsIdentity" but not "Exception Message" or maybe the "
i want extract exception message "Exception Message"="*" or better to have it in props.conf to auto assign it.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some complete sample events, along with the what string to extract?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
