Regular expressions used in searches seem to search the extracted search "terms," which you can see by clicking on any particular message, then click the down arrow > Show terms of .... For this reason, "exception" needs to be lower-case:
message:/([a-z0-9\.]+exception)/
-
Create a new rule
rule "Extract Java exceptions" when regex("([A-Za-z0-9\\.]+Exception(?!\\w))", to_string($message.message)).matches == true then let exception_regex = regex("([A-Za-z0-9\\.]+Exception(?!\\w))", to_string($message.message)); set_field("exception", exception_regex["0"]); end -
Create a new pipeline and add this rule
To extract exceptions as a decorator (so the exception field won't be indexed), don't connect the pipeline to any particular stream. Instead, do a search and then go to Decorators > Select decorator > Pipeline Processor Decorator > Apply > select the pipeline you created
To extract exceptions at index time, connect the pipeline to a stream, e.g. All messages