Splunk Search

Why am I getting an error when doing field extraction with the field extractor tool?

tanp685
New Member

I'm trying to extract a field with the field extractor tool, however, keep getting errors back

This is a part of the sample log event containing the fields:
<pfId>208431</pfId><isoId>208431</isoId>

both these fields tend to have the same values most of the time, and I'm trying to root out instances where they don't have the same values. So tried to display them with the query
| table pfId, isoId

but it doesn't work - shows up as empty tables

Appreciate any help I can get with this.

Tags (2)
0 Karma
1 Solution

ddrillic
Ultra Champion

Something in the spirit of \<pfId\>(.*?)\<\/pfId\> should work.

Please use - Regular expressions 101

A good thread - Splunking HTML Formatted Log Files

Please test with -

index=<any index>
| eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
| rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
| rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>"

It should produce the pfId and isoId fields.

View solution in original post

tanp685
New Member

tried this

index=WPG
 | eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
 | rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
 | rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>" | table pfId, isoId | transpose |

alt text

and it works !
given that there was only two main IDs used for both pfID and isoID I've gone with a pie chart.

Thanks everyone for your help really appreciate it.

0 Karma

FrankVl
Ultra Champion

If you want help resolving your issues with the field extractor, it would help if you would explain your attempts and the errors you got.

A simple rex command solution to extract these two fields in your query could look like this:

| rex "pfId\>(?<pfId>[^\>]+)"
| rex "isoId\>(?<isoId>[^\>]+)"

Alternatively, you could have a look at the xmlkv command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Xmlkv

0 Karma

tanp685
New Member

thanks ! tried it.

0 Karma

ddrillic
Ultra Champion

Something in the spirit of \<pfId\>(.*?)\<\/pfId\> should work.

Please use - Regular expressions 101

A good thread - Splunking HTML Formatted Log Files

Please test with -

index=<any index>
| eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
| rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
| rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>"

It should produce the pfId and isoId fields.

tanp685
New Member

tried it and it works thanks !

0 Karma

ddrillic
Ultra Champion

@tanp685 - great to hear - btw, it's customary to drop on us some good points if we are helpful ; -)

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've converted this comment to an Answer. @tanp685 - You can up-vote this answer, and still accept your own answer for your question, or accept this answer if you would like to do that.

0 Karma

solarboyz1
Builder
... | rex "\<pfId\>(?<pfId>\d+?)\<" |  | rex "\<isoId\>(?<isoId>\d+?)\<"  | search pfId=isoId | table pfId, isoId
0 Karma

tanp685
New Member

thanks! it works

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Are the fields extracted? You state that you keep getting errors with the Field Extraction Tool, so I'm assuming that you aren't getting the fields when you try to do the table command because if the fields are empty, you will get no data from the table command.

0 Karma

tanp685
New Member

no they weren't. but the rex commands worked.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...