Use the extract command to obtain excerpts of an existing field using a regular expression. The command will capture the resulting excerpts into virtual fields using the names provided for the regular expression groups.


The extract command cannot operate on the Original Log Content field. Default field, if not specified, is Message.

To be able to use the extract command on the value of Original Log Content field, first copy the Original Log Content field into a string field, and then run extract on the new string field.


extract field = <field_to_parse> (<regular_expression>)


The following table lists the parameters used in this command, along with their descriptions.

Parameter Description


Specify the field that must be parsed using the regular expression.


Specify the regular expression to use for parsing the existing field.

The format of the regular expression construct must be consistent with RE2J pattern matching and should contain at least one named-capturing group. See Regular Expressions Syntax.

The following command separates out the content of the entity field into two parts. For example, the entity value host-phx-1.oci.oraclecloud.com with pattern would split into two virtual fields named Host and Domain, with values host-phx-1 and oci.oraclecloud.com.

* | extract field = Entity (?P<Host>\\w+)\\.?(?<Domain>.*)

The following command creates a new virtual field named ErrorCode which contains the suffix of ErrorInfo field so that it can be used as a key in the lookup table Error Ids. This can be used to lookup description and remediation steps from a lookup table and provide tabular summary of how many times each error occurred and how to remediate.

'Log Source' like '%database%' 
    | extract field = ErrorInfo 'ora-(?P<ErrorCode>.*) 
    | lookup table="error ids" select error_description, 
        error_remediation using error_id = ErrorCode 
    | stats cout, unique(error_description), 
        unique(error_remediation) by ErrorInfo