Splunk Search
Highlighted

How come our field extractions no longer work after 7.2.0 upgrade?

New Member

I have a simple field extraction for postfix:

(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+) 

This was working fine and giving me a srcip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:
alt text
However, when going to Field extraction my src
ip field is identified:

alt text

Not sure where to go next...thank you

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

SplunkTrust
SplunkTrust

Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

New Member

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.
alt text

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

New Member

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.
alt text

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

SplunkTrust
SplunkTrust

I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked. This untested since I can't paste screenshots into regex101.com for testing.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

SplunkTrust
SplunkTrust

Agreed. Regex needs to be cleaned up

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

New Member

While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

SplunkTrust
SplunkTrust

Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

New Member

I will test the changed regex...I just don't have access to the box at this moment 😉 But ya I'll test something different like you suggested and report my findings thanks.

0 Karma
Highlighted

Re: How come our field extractions no longer work after 7.2.0 upgrade?

SplunkTrust
SplunkTrust

Try adding this to test

| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.