Hi. That works, cool! What about the second use case, when the regex matches but the words "ERROR" or "failed" are not in the text??

Thank you!!!!

Hi robettinger
regex is all, also failed or ERROR, so if you haven't failed or ERROR field isn't extracted.

Modify the regex to manage also "ERROR" in addition to "failed"

(?ms)Client logging in as (?<user_failed_login>[^ ]*).*(failed|ERROR)

See updated example https://regex101.com/r/qWg6Tz/2

Bye.
Giuseppe

Hi Giuseppe,

that's what I would like: The Events:

2017/09/26 09:44:05 Client logging in as robertE on DB1...
2017/09/26 09:45:54 Client logging in as  on DB1...
ERROR:Missing login information
2017/09/26 08:58:02 Client logging in as jamesH on DB1...
Connect to Oracle failed: 
ORA-01017: invalid username/password; logon denied

These 3 events should match these 2 fields:

usernameOK: robertE
usernameFail: jamesH and ""

I can manage the usernameFail regex:

rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*(?i)(ERROR |failed|ERROR:)"

but I am struggling to get the usernameOK because if I use:

rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*

it will also match the failed ones ....

The question is how can I match only the events where there is no ERROR or FAIL in the body?

Hi
for user_login use

| rex "Client logging in as (?<user_login>[^ ]*)(?!.*failed)"

test it at https://regex101.com/r/mKCWJs/1

Bye.
Giuseppe

Nope. Dunno why but the original event has the "failed" string in the second line. Basically I am trying to create a field called AccessFail with the username when the regex matches AND the words "ERROR" or "failed" are present and another field called AccessOK when the regex matches but the words are not present. Does this make sense?

This is only acquired on failure.
Please show me the log at the time of success.