Splunk Search

Field extractor is unusually slow (max single event time=, probes=warning max=)

royimad
Builder

I have a regular expression that extract everything that exist between brackets
Extraction:

(?i) .*?   (?P<METHOD>\-\s+\[\w+.*.\])\s+\w+

I'm receiving the following Warning
Field extractor name=EXTRACT-METHOD is unusually slow (max single event time=1081ms, probes=5 warning max=1000ms)

0 Karma
1 Solution

kristian_kolb
Ultra Champion

That regex does look a bit odd to me. If you have an event like:

blah blah [yohoo_123] blah blah

and just want to extract yohoo_123 your regex should probably look more like;

...| rex "\[(?<METHOD>[^\]]+)\]"

i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.

/K

View solution in original post

kristian_kolb
Ultra Champion

That regex does look a bit odd to me. If you have an event like:

blah blah [yohoo_123] blah blah

and just want to extract yohoo_123 your regex should probably look more like;

...| rex "\[(?<METHOD>[^\]]+)\]"

i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.

/K

kristian_kolb
Ultra Champion

Should work.

props.conf
[your_sourcetype]
EXTRACT-blah = \s\[(?<METHOD>[^\]]+)\]\s

/k

0 Karma

royimad
Builder

I need that METHOD field will be persistent

0 Karma

royimad
Builder

How to put that in props.conf

0 Karma

royimad
Builder

perfect dude:)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...