Solved: Field Extraction errors

jclehmuth · ‎11-07-2014

I keep receiving this error:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

I am trying to create a field extraction for Src_ip. The IP I am trying to extract is at the end of the events, similar to below.

Nov 7 00:19:22 10.0.33.210 2014-11- 7 5:19:20 Retina: Retina has found Low Severity audit Scheduler Service Potential Security Hazard on ip 10.0.33.250.

Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit Account Lockout Reset Time on ip 10.0.33.250.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational audit Microsoft Windows Share Allows Everyone Access on ip 10.0.33.250.

martin_mueller · ‎11-07-2014

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$

View solution in original post

jclehmuth · ‎11-07-2014

Thanks that worked, I had to minor adjust but it worked.

martin_mueller · ‎11-07-2014

Assuming it's always prefixed by "on ip" and at the end of the line and sometimes followed by that period, you can use this regex:

on ip (?<src_ip>^\S+?)\.?$

dehtallyutedeh · ‎03-02-2015

martin_muller,

Is there a guide on how to use the regex?
I have a similar problem.

My data
... Version/7.0 Mobile/11B554a Safari/9537.53", client-ip="55.555.555.55", x-akamai-config-log-detail="true", te="chunked;q=1.0", connection="TE", akamai-origin-hop="2"...

I'm trying to get the client-ip.

I tried client-ip=" (?^\S+?)\"?$ but it doesnt work. Any help?

s2_splunk · ‎03-02-2015

You have a self-describing log format using key=value pairs; Splunk should auto-extract all fields for you. Does it not?

Your RegEx should probably read

client-ip=\"(?<client-ip>.*)\"

to at least answer your question.

There are a bunch of RegEx learning/testing sources available on the interwebs. Google is your friend. 😉

dehtallyutedeh · ‎03-03-2015

No, Splunk didn't auto-extract it. Which I found very odd....

I'll look up some more RegEx information to get this solution to work.

mohan401 · ‎07-17-2017

I am also facing same issue in my case :
Nov 7 00:19:19 10.0.33.210 2014-11- 7 5:19:17 Retina: Retina has found Medium Severity audit from IP 10.0.33.250. Account Lockout Reset Time.

Nov 7 00:19:17 10.0.33.210 2014-11- 7 5:19:15 Retina: Retina has found Informational from IP 10.0.33.250. audit Microsoft Windows Share Allows Everyone Access

I am using regrx like :
from IP (?^\S+?).*
I am getting IP string.

jclehmuth · ‎11-07-2014

I forgot to mention I'm using 6.2

Field Extraction errors

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms