Splunk Search

How come our field extractions no longer work after 7.2.0 upgrade?

DigiAngel
New Member

I have a simple field extraction for postfix:

(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+) 

This was working fine and giving me a src_ip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:
alt text
However, when going to Field extraction my src_ip field is identified:

alt text

Not sure where to go next...thank you

0 Karma

justinw
Explorer

I had this same issue. When investigating the cause, I found that I had a field alias relating to the same sourcetype and field. The field alias was not actually doing anything, so I went ahead and deleted it. Once deleted, I was able to see the field extraction in the search. In my case the field alias was "Field"="ProblemField"
I hope this helps.

0 Karma

prakash007
Builder

On your note, just an FYI on a fieldalias incorrect behavior from 7.2.x versions...

https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked. This untested since I can't paste screenshots into regex101.com for testing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Agreed. Regex needs to be cleaned up

0 Karma

DigiAngel
New Member

While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?

0 Karma

DigiAngel
New Member

I will test the changed regex...I just don't have access to the box at this moment 😉 But ya I'll test something different like you suggested and report my findings thanks.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try adding this to test

| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]
0 Karma

DigiAngel
New Member

Aye that rex line worked like a champ in search. That same line in field extraction doesn't work...it's almost like the extractions aren't happening. Guess I need to find a way to see what extractions are taking place.

0 Karma

DigiAngel
New Member

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.
alt text

0 Karma

DigiAngel
New Member

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.
alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...