topic Re: Why am I getting an error when doing field extraction with the field extractor tool? in Splunk Search

Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 12:42:45 GMT

I'm trying to extract a field with the field extractor tool, however, keep getting errors back

This is a part of the sample log event containing the fields:
<pfId>208431</pfId><isoId>208431</isoId>

both these fields tend to have the same values most of the time, and I'm trying to root out instances where they don't have the same values. So tried to display them with the query
| table pfId, isoId

but it doesn't work - shows up as empty tables

Appreciate any help I can get with this.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

cpetterborg — Wed, 20 Jun 2018 13:49:01 GMT

Are the fields extracted? You state that you keep getting errors with the Field Extraction Tool, so I'm assuming that you aren't getting the fields when you try to do the table command because if the fields are empty, you will get no data from the table command.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

solarboyz1 — Wed, 20 Jun 2018 13:52:32 GMT

... | rex "\<pfId\>(?<pfId>\d+?)\<" |  | rex "\<isoId\>(?<isoId>\d+?)\<"  | search pfId=isoId | table pfId, isoId

Re: Why am I getting an error when doing field extraction with the field extractor tool?

ddrillic — Wed, 20 Jun 2018 13:52:48 GMT

Something in the spirit of \<pfId\>(.*?)\<\/pfId\> should work.

Please use - Regular expressions 101

A good thread - Splunking HTML Formatted Log Files

Please test with -

index=<any index>
| eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
| rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
| rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>"

It should produce the pfId and isoId fields.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

FrankVl — Wed, 20 Jun 2018 14:02:30 GMT

If you want help resolving your issues with the field extractor, it would help if you would explain your attempts and the errors you got.

A simple rex command solution to extract these two fields in your query could look like this:

| rex "pfId\>(?<pfId>[^\>]+)"
| rex "isoId\>(?<isoId>[^\>]+)"

Alternatively, you could have a look at the xmlkv command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Xmlkv

Re: Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 16:08:03 GMT

tried this

index=WPG
 | eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
 | rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
 | rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>" | table pfId, isoId | transpose |

and it works !
given that there was only two main IDs used for both pfID and isoID I've gone with a pie chart.

Thanks everyone for your help really appreciate it.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 16:09:15 GMT

tried it and it works thanks !

Re: Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 16:09:54 GMT

no they weren't. but the rex commands worked.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 16:10:09 GMT

thanks! it works

Re: Why am I getting an error when doing field extraction with the field extractor tool?

tanp685 — Wed, 20 Jun 2018 16:10:22 GMT

thanks ! tried it.

Re: Why am I getting an error when doing field extraction with the field extractor tool?

ddrillic — Wed, 20 Jun 2018 16:41:29 GMT

@tanp685 - great to hear - btw, it's customary to drop on us some good points if we are helpful ; -)

Re: Why am I getting an error when doing field extraction with the field extractor tool?

cpetterborg — Wed, 20 Jun 2018 17:44:17 GMT

I've converted this comment to an Answer. @tanp685 - You can up-vote this answer, and still accept your own answer for your question, or accept this answer if you would like to do that.