Splunk Search

No regex could be learned. Try providing different examples or restriction.

hikari992
Explorer

Hi everyone, I'm quite new to splunk.
I encounter this error message "No regex could be learned. Try providing different examples or restriction." while I was trying to extract longitude value using the Interactive field extractor. But I was able to extract Latitude value and this is the regex for the Latitude value that display in the props.conf file "EXTRACT-Latitude = (?i).Double">(?P[^<]+)". Please help me. Thank you.

0 Karma

kristian_kolb
Ultra Champion

1.4004771683629058/d:latitude
103.8579338813216/d:longitude

Given the data format above, I would choose to do like so;

props.conf

[your_sourcetype]
EXTRACT-lat = >(?<latitude>[^<]+)</d:latitude
EXTRACT-long = >(?<longitude>[^<]+)</d:longitude

/K

Ayn
Legend

Just use the Latitude extraction as a template here, change latitude for longitude in both places and you should be good to go.

0 Karma

Ayn
Legend

Oh, right. Didn't see that 🙂

0 Karma

kristian_kolb
Ultra Champion

Problem is that the EXTRACT in the original question would capture both long and lat, calling them both latitude (or just keeping one of them if it's not a multi-valued field).

0 Karma

hikari992
Explorer

Hi, it's a xml data.
1.4004771683629058/d:Latitude
103.8579338813216/d:Longitude

0 Karma

Ayn
Legend

Log samples please? Hard to tell you what your regular expression should look like otherwise.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...