Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Field Extraction Stopped Working

RowdyRodney
Engager
2 weeks ago

Hello - I created a Field Extraction to look for a file extension. The raw log looks like this:

"FileName": "John Test File.docx"

The regex I used was:

"FileName":\s".+\.(?P<Domain>.[a-zA-Z0-9]*)

 

This tests out in any regex tester I use. When I first created this, I ran a search query and some of the fields populated, but some were blank. I then checked which records weren't being extracted correctly, and found the regex matched the raw log pattern, so I was unsure why it wouldn't have extracted.

However,  ~30 minutes after creating this field extraction. It stopped extracting anything. The state I'm now, I can see that each raw log record matches my extraction regex, but the fields are still empty and this isn't being extracted. Why would that be?

Each raw log matches the regex in the extraction...

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
2 weeks ago

Hi @RowdyRodney 

How are you doing this extraction? Is it a search-time extraction in Splunk Enterprise/Cloud?

These use PCRE based Regex whereas you have provided a Python-style named capturing group (?P...) 

Please can you update this to a PCRE based regex and see if this resolves the issue?

"FileName":\s".+\.(?<Domain>.[a-zA-Z0-9]*)

Can I also check, is the intention that it matches the file extension (docx) in your sample data?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
2 weeks ago

Hi @RowdyRodney 

How are you doing this extraction? Is it a search-time extraction in Splunk Enterprise/Cloud?

These use PCRE based Regex whereas you have provided a Python-style named capturing group (?P...) 

Please can you update this to a PCRE based regex and see if this resolves the issue?

"FileName":\s".+\.(?<Domain>.[a-zA-Z0-9]*)

Can I also check, is the intention that it matches the file extension (docx) in your sample data?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

RowdyRodney
Engager
2 weeks ago

Thank you that helped!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...