Splunk Search

How do I simplify the regular expression in my field extraction to improve search performance?

Motivator

Apparently the field extraction I built using Splunk Web has caused other searches on the same datasets to be horribly slow.

My log looks like this:

[1/25/17 12:57:14:378 EST] 00000eb3 SystemErr     R CIWEB.ICMAPIPlugin Error: [E111111(unknown) @ 99.9.99.999] 

All I really want is to single out the plugin name. It always is in the form CIWEB.*name*Plugin. (in this case I just want the ICMAPI piece) It seems to me there should be a much simpler regular expression to identify this than the horribly huge and slow thing I built with Splunk Web.

So far the things I've tried haven't worked either by editing the regex created by Splunk Web or trying to do it in the search.

0 Karma
1 Solution

Motivator

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

View solution in original post

0 Karma

Motivator

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

View solution in original post

0 Karma

Motivator

That is perfect! I was so close. Its good to know I was at least on the right track.

Thank you!

0 Karma