Splunk Search

How do I simplify the regular expression in my field extraction to improve search performance?

Motivator

Apparently the field extraction I built using Splunk Web has caused other searches on the same datasets to be horribly slow.

My log looks like this:

[1/25/17 12:57:14:378 EST] 00000eb3 SystemErr     R CIWEB.ICMAPIPlugin Error: [E111111(unknown) @ 99.9.99.999] 

All I really want is to single out the plugin name. It always is in the form CIWEB.*name*Plugin. (in this case I just want the ICMAPI piece) It seems to me there should be a much simpler regular expression to identify this than the horribly huge and slow thing I built with Splunk Web.

So far the things I've tried haven't worked either by editing the regex created by Splunk Web or trying to do it in the search.

0 Karma
1 Solution

Motivator

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

View solution in original post

0 Karma

Motivator

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

View solution in original post

0 Karma

Motivator

That is perfect! I was so close. Its good to know I was at least on the right track.

Thank you!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!