Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction errors

jclehmuth
Path Finder
‎11-07-2014 11:13 AM

I keep receiving this error:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

I am trying to create a field extraction for Src_ip. The IP I am trying to extract is at the end of the events, similar to below.

Nov 7 00:19:22 10.0.33.210 2014-11- 7 5:19:20 Retina: Retina has found Low Severity audit Scheduler Service Potential Security Hazard on ip 10.0.33.250.

Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit Account Lockout Reset Time on ip 10.0.33.250.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational audit Microsoft Windows Share Allows Everyone Access on ip 10.0.33.250.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2014 11:54 AM

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$

View solution in original post

Reply
Solved! Jump to solution

jclehmuth
Path Finder
‎11-07-2014 11:59 AM

Thanks that worked, I had to minor adjust but it worked.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2014 11:54 AM

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$
Reply
Solved! Jump to solution

dehtallyutedeh
Explorer
‎03-02-2015 06:01 PM

martin_muller,

Is there a guide on how to use the regex?
I have a similar problem.

My data
... Version/7.0 Mobile/11B554a Safari/9537.53", client-ip="55.555.555.55", x-akamai-config-log-detail="true", te="chunked;q=1.0", connection="TE", akamai-origin-hop="2"...

I'm trying to get the client-ip.

I tried client-ip=" (?^\S+?)\"?$ but it doesnt work. Any help?

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-02-2015 09:06 PM

You have a self-describing log format using key=value pairs; Splunk should auto-extract all fields for you. Does it not?

Your RegEx should probably read

client-ip=\"(?<client-ip>.*)\"

to at least answer your question.

There are a bunch of RegEx learning/testing sources available on the interwebs. Google is your friend. 😉

0 Karma
Reply
Solved! Jump to solution

dehtallyutedeh
Explorer
‎03-03-2015 10:52 AM

No, Splunk didn't auto-extract it. Which I found very odd....

I'll look up some more RegEx information to get this solution to work.

0 Karma
Reply
Solved! Jump to solution

mohan401
Engager
‎07-17-2017 03:28 AM

I am also facing same issue in my case :
Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit from IP 10.0.33.250. Account Lockout Reset Time.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational from IP 10.0.33.250. audit Microsoft Windows Share Allows Everyone Access

I am using regrx like :
from IP (?^\S+?).*
I am getting IP string.

0 Karma
Reply
Solved! Jump to solution

jclehmuth
Path Finder
‎11-07-2014 11:14 AM

I forgot to mention I'm using 6.2

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...