Thanks and sorry I was not clear. I basically want to use rex to define a string as field called errortype as an example the event may contain the following cxx.1185: An IP address becomes unavailable , or another error may be cxx.1185: Map is full , this is what I tried the error description is always after the cxx.1185 and before the next comma, This almost worked, but I can't work out how to pattern match everything after cxx.1185: and before the next comma. I tried things like " *," but that didn't work index=alarm-app-n | rex field=_raw "cxx.1185:(?<errortype>*,)" I worked it out after I bit more searching on splunk answers. This works index=alarm-app-n LEVEL=major | rex field=_raw "cxx.1185:(?<errortype>[^,]+)"
... View more