Hi,
Finally i came up with the working solution and the search query is as follows :
host="sharepoint" | rex field=message "(?i)\b exception\b:\s(?P[^)]+Exception):" |rename Field1 as output | append [search host="sharepoint" | rex field=message "(?<=[Errorlfailed]: )(?P[^)]+Exception:)" |
rename Field2 as output] | table output

Hello ChhayaV,
The log doesn't have anything to match for the second regex so i can't try with it. The first regex matches the fields which you require.

If you want to do on UI, you can do it one field at a time after that save the field or ignore the matches which are not required.

Hi linu1988,
i just wanted to do it through Splunk web.
Here i have provided the sample log entries
" http://answers.splunk.com/answers/98772/field-extraction-using-regex-command "

The error is probably related to fact that you have a pipe character in the rex. Try to escape it with a backslash, otherwise it may be interpreted as part of the search query.

also, should it say 'Errorlfailed'? you don't want '(Error|Failed)'? Escape as needed.

Chhaya, if you are having problem with the search you can actually use the props.conf/transforms.conf as Ayn has suggested. I don't have the log with me so cant create the perfect matching.

You can also do |rex .... |rex ... |eval Newfield=field1." ".field2 OR directly get the fields and concatenate extracted from props.conf. Hope it clarifies..

If you're going to use these extractions for anything else but just the odd search here and there you really should move them into props.conf / transforms.conf instead of having them inline in your searches.

Also one more thing is i want Field1 and Field2 values to be captured in a single field i.e.,values of Field1 and Field2 should captured as a single field say "NewField"

Hi linu1988,
I tried with the way you have suggested but its not working.Saying error in rex command.
Actually i tried with the pipe(|) command which is not showing any error in the regex(no desirable output).
Tried query is :

host="sharepoint" | rex field=message "(?<=[Errorlfailed]\: )(?P<Field1>[^\)]+Exception:)|(?i)\b exception\b:\s(?P<Field2>[^\)]+Exception)\:" | table Field1 Field2

Here its only displaying the result for Field1.Field2 values are coming blank.

This is correct. For an event like;

timestamp [blah] AAA:BBB:CCC DDD:EEE:FFF

where you wish to extract 'blah' and 'EEE', you can write a regex that will get them in one go;

...| rex "\[(?<first>[^\]]+)\]\s\S+\s\w:(?<second>\w+):\w+"

However some care might be required - if the messages in a log are formatted differently, so that for some events e.g. the second field can't be matched, the rex statement as a whole will fail, and neither first nor second will be extracted for that event.

/K