Splunk Search

Why am I getting an error when doing field extraction with the field extractor tool?

tanp685
New Member

I'm trying to extract a field with the field extractor tool, however, keep getting errors back

This is a part of the sample log event containing the fields:
<pfId>208431</pfId><isoId>208431</isoId>

both these fields tend to have the same values most of the time, and I'm trying to root out instances where they don't have the same values. So tried to display them with the query
| table pfId, isoId

but it doesn't work - shows up as empty tables

Appreciate any help I can get with this.

Tags (2)
0 Karma
1 Solution

ddrillic
Ultra Champion

Something in the spirit of \<pfId\>(.*?)\<\/pfId\> should work.

Please use - Regular expressions 101

A good thread - Splunking HTML Formatted Log Files

Please test with -

index=<any index>
| eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
| rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
| rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>"

It should produce the pfId and isoId fields.

View solution in original post

tanp685
New Member

tried this

index=WPG
 | eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
 | rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
 | rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>" | table pfId, isoId | transpose |

alt text

and it works !
given that there was only two main IDs used for both pfID and isoID I've gone with a pie chart.

Thanks everyone for your help really appreciate it.

0 Karma

FrankVl
Ultra Champion

If you want help resolving your issues with the field extractor, it would help if you would explain your attempts and the errors you got.

A simple rex command solution to extract these two fields in your query could look like this:

| rex "pfId\>(?<pfId>[^\>]+)"
| rex "isoId\>(?<isoId>[^\>]+)"

Alternatively, you could have a look at the xmlkv command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Xmlkv

0 Karma

tanp685
New Member

thanks ! tried it.

0 Karma

ddrillic
Ultra Champion

Something in the spirit of \<pfId\>(.*?)\<\/pfId\> should work.

Please use - Regular expressions 101

A good thread - Splunking HTML Formatted Log Files

Please test with -

index=<any index>
| eval _raw="<pfId>208431</pfId><isoId>208431</isoId>"
| rex field=_raw "\<pfId\>(?<pfId>.*?)\<\/pfId\>"
| rex field=_raw "\<isoId\>(?<isoId>.*?)\<\/isoId\>"

It should produce the pfId and isoId fields.

tanp685
New Member

tried it and it works thanks !

0 Karma

ddrillic
Ultra Champion

@tanp685 - great to hear - btw, it's customary to drop on us some good points if we are helpful ; -)

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've converted this comment to an Answer. @tanp685 - You can up-vote this answer, and still accept your own answer for your question, or accept this answer if you would like to do that.

0 Karma

solarboyz1
Builder
... | rex "\<pfId\>(?<pfId>\d+?)\<" |  | rex "\<isoId\>(?<isoId>\d+?)\<"  | search pfId=isoId | table pfId, isoId
0 Karma

tanp685
New Member

thanks! it works

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Are the fields extracted? You state that you keep getting errors with the Field Extraction Tool, so I'm assuming that you aren't getting the fields when you try to do the table command because if the fields are empty, you will get no data from the table command.

0 Karma

tanp685
New Member

no they weren't. but the rex commands worked.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...