Regular Expression in Splunk

I need regular expression which will provide me error msg in following format:

[2011-09-21 17:53:24:446 GMT][75DABF9052639D387C4E2F8EF7DC516C.http-8080-18]  [com.abc.resolver.rest.CommComponent] ERROR Cannot get payload while processing error message
[2011-09-21 17:53:24:446 GMT][75DABF9052639D387C4E2F8EF7DC516C.http-8080-18][com.pqr.chktest.Client] ERROR Error connecting to http://beta.com/api/1 with response code: 401
[2011-09-21 17:53:24:446 GMT][75DABF9052639D387C4E2F8EF7DC516C.http-8080-18][com.pqr开发者_JS百科.chktest.Client] ERROR upload error: java.lang.Exception: Error connecting to beta server at http address http://beta.com

Cannot get payload while processing Error connecting to http://beta.com/api/1 with upload error: Error connecting to

Basically, I want to get only first 5 words after word "ERROR" (in capital letter)

"ERROR (?[^[]+)" is returning me the whole words. But I'm not able to get it working for just first 5 words.

Also, if the first 5 words after ERROR contains java.lang.Exception, I don;t want to include it in my result, instead I need the next matching words.

Any help is much appreciated.

Thanks!

Try the regular expression

"ERROR(\s+[^\s]+){5}"

to get five words after "ERROR". For the second part (exclude java.lang.Exception) I would not do it in a single regex but test the first match and if it includes these words start another search on the string, now like

"java.lang.Exception:(\s+[^\s]+){5}"