Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Receiving error while trying to extracting fields using regex

muradgh
Path Finder
‎10-26-2022 02:59 PM

Hi Splunkers 

I'm trying to extract some fields using the opting under the log "Extract Fields" using the regix method.

In the step of "Select Fields" when I select a filed that I would like to extract, it freezes for a couple of minutes and returns with the following message:

"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

So I'm not "extracting multiple fields", its just one filed, and yet the error still appears.

Here is the log sample I used:

2022-10-26T20:10:11+03:00 192.168.xxx.xxx TRP|No Caller ID received: Line: 8 Slot: 2 Port: 12

I was just trying to extract the "TRP".

I have tried different ways to solve this issue:

I have tried the "I prefer to write the regular expression myself" option in the "Select Method" step and entered the regix and hit "Preview" but it just stuck.

I have tried to use other log sample with no luck.

Tried using totally different log from a totally different index but ended up with the same error message.

Even restated Splunk but no luck either!

 

What am I missing here? 

Labels (1)
Labels
0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 03:06 PM

It's hard to optimize the regex with such a small sample size. But you can try this:

^[^\s]*\s(?<ip_address>\d+\.\d+\.\d+\.\d+)\s(?<status_code>[^\|]*)

 

0 Karma
Reply

muradgh
Path Finder
‎10-26-2022 11:57 PM

I don't have a problem with the regex itself, whatever field I select or regex I provide, it shows the same error

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...