How come our field extractions no longer work afte...

DigiAngel · ‎11-01-2018

I have a simple field extraction for postfix:

(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+)

This was working fine and giving me a src_ip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:

However, when going to Field extraction my src_ip field is identified:

Not sure where to go next...thank you

justinw · ‎11-30-2018

I had this same issue. When investigating the cause, I found that I had a field alias relating to the same sourcetype and field. The field alias was not actually doing anything, so I went ahead and deleted it. Once deleted, I was able to see the field extraction in the search. In my case the field alias was "Field"="ProblemField"
I hope this helps.

prakash007 · ‎12-01-2018

On your note, just an FYI on a fieldalias incorrect behavior from 7.2.x versions...

https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

richgalloway · ‎11-02-2018

I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked. This untested since I can't paste screenshots into regex101.com for testing.

---
If this reply helps you, Karma would be appreciated.

skoelpin · ‎11-02-2018

Agreed. Regex needs to be cleaned up

DigiAngel · ‎11-02-2018

While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.

skoelpin · ‎11-02-2018

Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?

DigiAngel · ‎11-02-2018

I will test the changed regex...I just don't have access to the box at this moment 😉 But ya I'll test something different like you suggested and report my findings thanks.

skoelpin · ‎11-02-2018

Try adding this to test

| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]

DigiAngel · ‎11-02-2018

Aye that rex line worked like a champ in search. That same line in field extraction doesn't work...it's almost like the extractions aren't happening. Guess I need to find a way to see what extractions are taking place.

DigiAngel · ‎11-02-2018

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.

DigiAngel · ‎11-02-2018

Here's a screenshot..again, if I click Event Actions -> Extract Fields it matches as shown above. Thank you.

richgalloway · ‎11-02-2018

Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.

---
If this reply helps you, Karma would be appreciated.

How come our field extractions no longer work after 7.2.0 upgrade?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...