Solved: Field extractor is unusually slow (max single eve...

royimad · ‎04-11-2013

I have a regular expression that extract everything that exist between brackets
Extraction:

(?i) .*?   (?P<METHOD>\-\s+\[\w+.*.\])\s+\w+

I'm receiving the following Warning
Field extractor name=EXTRACT-METHOD is unusually slow (max single event time=1081ms, probes=5 warning max=1000ms)

kristian_kolb · ‎04-12-2013

That regex does look a bit odd to me. If you have an event like:

blah blah [yohoo_123] blah blah

and just want to extract yohoo_123 your regex should probably look more like;

...| rex "\[(?<METHOD>[^\]]+)\]"

i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.

/K

kristian_kolb · ‎04-12-2013

That regex does look a bit odd to me. If you have an event like:

blah blah [yohoo_123] blah blah

and just want to extract yohoo_123 your regex should probably look more like;

...| rex "\[(?<METHOD>[^\]]+)\]"

i.e. after the opening square bracket, grab everything that is NOT a closing square bracket, followed by a closing square bracket.

/K

kristian_kolb · ‎04-12-2013

Should work.

props.conf
[your_sourcetype]
EXTRACT-blah = \s\[(?<METHOD>[^\]]+)\]\s

/k

royimad · ‎04-12-2013

I need that METHOD field will be persistent

royimad · ‎04-12-2013

How to put that in props.conf

royimad · ‎04-12-2013

perfect dude:)

Field extractor is unusually slow (max single event time=, probes=warning max=)