Splunk Search

Field Extraction errors

jclehmuth
Path Finder

I keep receiving this error:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

I am trying to create a field extraction for Src_ip. The IP I am trying to extract is at the end of the events, similar to below.

Nov 7 00:19:22 10.0.33.210 2014-11- 7 5:19:20 Retina: Retina has found Low Severity audit Scheduler Service Potential Security Hazard on ip 10.0.33.250.

Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit Account Lockout Reset Time on ip 10.0.33.250.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational audit Microsoft Windows Share Allows Everyone Access on ip 10.0.33.250.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$

View solution in original post

jclehmuth
Path Finder

Thanks that worked, I had to minor adjust but it worked.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$

dehtallyutedeh
Explorer

martin_muller,

Is there a guide on how to use the regex?
I have a similar problem.

My data
... Version/7.0 Mobile/11B554a Safari/9537.53", client-ip="55.555.555.55", x-akamai-config-log-detail="true", te="chunked;q=1.0", connection="TE", akamai-origin-hop="2"...

I'm trying to get the client-ip.

I tried client-ip=" (?^\S+?)\"?$ but it doesnt work. Any help?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

You have a self-describing log format using key=value pairs; Splunk should auto-extract all fields for you. Does it not?

Your RegEx should probably read

client-ip=\"(?<client-ip>.*)\"

to at least answer your question.

There are a bunch of RegEx learning/testing sources available on the interwebs. Google is your friend. 😉

0 Karma

dehtallyutedeh
Explorer

No, Splunk didn't auto-extract it. Which I found very odd....

I'll look up some more RegEx information to get this solution to work.

0 Karma

mohan401
Engager

I am also facing same issue in my case :
Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit from IP 10.0.33.250. Account Lockout Reset Time.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational from IP 10.0.33.250. audit Microsoft Windows Share Allows Everyone Access

I am using regrx like :
from IP (?^\S+?).*
I am getting IP string.

0 Karma

jclehmuth
Path Finder

I forgot to mention I'm using 6.2

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...