topic Re: How come our field extractions no longer work after 7.2.0 upgrade? in Splunk Search

How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Tue, 29 Sep 2020 21:52:56 GMT

I have a simple field extraction for postfix:

(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+)

This was working fine and giving me a src_ip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:

However, when going to Field extraction my src_ip field is identified:

Not sure where to go next...thank you

Re: How come our field extractions no longer work after 7.2.0 upgrade?

richgalloway — Fri, 02 Nov 2018 11:25:33 GMT

Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Fri, 02 Nov 2018 11:59:50 GMT

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Fri, 02 Nov 2018 11:59:50 GMT

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

richgalloway — Fri, 02 Nov 2018 13:50:08 GMT

I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked. This untested since I can't paste screenshots into regex101.com for testing.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

skoelpin — Fri, 02 Nov 2018 14:05:02 GMT

Agreed. Regex needs to be cleaned up

Re: How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Fri, 02 Nov 2018 14:11:30 GMT

While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

skoelpin — Fri, 02 Nov 2018 14:16:22 GMT

Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?

Re: How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Fri, 02 Nov 2018 14:20:13 GMT

I will test the changed regex...I just don't have access to the box at this moment 😉 But ya I'll test something different like you suggested and report my findings thanks.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

skoelpin — Fri, 02 Nov 2018 14:25:27 GMT

Try adding this to test

| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]

Re: How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel — Fri, 02 Nov 2018 14:37:27 GMT

Aye that rex line worked like a champ in search. That same line in field extraction doesn't work...it's almost like the extractions aren't happening. Guess I need to find a way to see what extractions are taking place.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

justinw — Fri, 30 Nov 2018 18:29:41 GMT

I had this same issue. When investigating the cause, I found that I had a field alias relating to the same sourcetype and field. The field alias was not actually doing anything, so I went ahead and deleted it. Once deleted, I was able to see the field extraction in the search. In my case the field alias was "Field"="ProblemField"
I hope this helps.

Re: How come our field extractions no longer work after 7.2.0 upgrade?

prakash007 — Sat, 01 Dec 2018 21:05:26 GMT

On your note, just an FYI on a fieldalias incorrect behavior from 7.2.x versions...

https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html