Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extractor Utility: Why am I getting error "The extraction failed. If you are extracting multiple fields, try removing one or more fields..."?

carlyleadmin
Contributor
‎03-07-2018 01:19 PM

Splunk version 6.2.3

hi all,

i know there are alot of questions/answers like thialt textt and neither one of them tells you what the issue is and just give you the resolution.so i thought maybe someone can do the same for me:)though i would like to know why this is failing.

Attached is the screenshot where i would like to extract those highlighted field as "ILM".i select one sample and create ILM but it would not extract the other fields like the one highlighted automatically on other samples,so i select another one, select the field try to tag it as "ILM" and i get an error.

pattern is same where there is an error log with explanation what is going on(like the highlighted field).can i anyone tell me why this one errors out?

i extracted other fields where selected field picks up automatically across the other samples and works like charm but here,it is driving me crazy.

Any help is greatly appreciated

Tags (1)
Preview file
126 KB
0 Karma
Reply

JDukeSplunk
Builder
‎03-15-2018 10:45 AM

I use this one for a manual regex a good bit when the string I want is always preceded by a certain string. 

|yourbasesearch | rex field=_raw "null - <fieldname>.*)"

You may have to "escape" the dash with either one or two .
I don't know how good this is, but it seems to work for me.

0 Karma
Reply

deepashri_123
Motivator
‎03-08-2018 03:53 AM

Hey carlyleadmin,

It is a better approach if you write your regex manually.
Alternatively, try field extractor to extract fields in parts and extract not more than 2 or 3 fields at a time.

Hope this helps!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2018 03:02 PM

The field extractor is probably coming up with regular expression that is too complex. When this happens to me I just write the regex manually. Actually, I almost always write my own regular expressions since they tend to be simpler than what the wizard creates.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...