Receiving error while trying to extracting fields ...

muradgh · ‎10-26-2022

Hi Splunkers

I'm trying to extract some fields using the opting under the log "Extract Fields" using the regix method.

In the step of "Select Fields" when I select a filed that I would like to extract, it freezes for a couple of minutes and returns with the following message:

"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

So I'm not "extracting multiple fields", its just one filed, and yet the error still appears.

Here is the log sample I used:

2022-10-26T20:10:11+03:00 192.168.xxx.xxx TRP|No Caller ID received: Line: 8 Slot: 2 Port: 12

I was just trying to extract the "TRP".

I have tried different ways to solve this issue:

I have tried the "I prefer to write the regular expression myself" option in the "Select Method" step and entered the regix and hit "Preview" but it just stuck.

I have tried to use other log sample with no luck.

Tried using totally different log from a totally different index but ended up with the same error message.

Even restated Splunk but no luck either!

What am I missing here?

johnhuang · ‎10-26-2022

It's hard to optimize the regex with such a small sample size. But you can try this:

^[^\s]*\s(?<ip_address>\d+\.\d+\.\d+\.\d+)\s(?<status_code>[^\|]*)

muradgh · ‎10-26-2022

I don't have a problem with the regex itself, whatever field I select or regex I provide, it shows the same error

Receiving error while trying to extracting fields using regex

field extraction

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes