Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting this error trying to extract 2 strings? "The extraction failed. If you are extracting multiple fields, try removing one or more fields..."

sunnyparmar
Communicator
‎09-09-2015 01:03 AM

Hi,

I am using Splunk 6.2 and when going to extract the field, it is giving me the following error:

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

My data is something like given below and I want to make an extraction for two events i.e. Sending reply for message and reply message sent, but getting the above pasted error. Please suggest how to resolve this issue.

DEBUG [main] 09-08 12:30:26 Sending reply for message [mail box: xyz@basware.com, sender: abc@basware.com, subject: Email Fetcher Performance Testing <<< current timestamp: 1441715338532 >>>] (Sending.java:309)
DEBUG [main] 09-08 12:30:26 validating velocity Template path... (Sending.java:508)
DEBUG [main] 09-08 12:30:26 reply message sent. (Sending.java:392)

Thanks

Tags (2)
0 Karma
Reply

tskinnerivsec
Contributor
‎09-09-2015 10:04 AM

What does your current extraction look like in your props.conf file? Exactly what text in those events are you trying to assign a field to? Are you trying to create fields for sender, and subject? if so, then you would do something like this in your props.conf file:

[sourcetype_name] # this will be whatever sourcetype you have assigned to these events
EXTRACT-kv_event = \[mail\sbox\:\s(?[^\,]+)\,\ssender\:\s(?[^\,]+)\,\ssubject\:\s(?[^\<]+)\<

This would extract the fields mailbox,sender and subject out of your event.

Just a note, this site's formatting wrapped the code a little weird. The above is 2 lines of code, the first line ends with the comment and the 2nd line starts with the EXTRACT-kv_event string.

0 Karma
Reply

sunnyparmar
Communicator
‎09-10-2015 12:37 AM

thanks for replying but i want to extract these two events ("Sending reply for message" & "reply message sent") from above given logs so could you tell me please how to make entries of these two events in props.conf file and my props.conf file is looking like with the below entries -

Version 6.2.1
Stanza that matches every string , using a property over 100
enables us to override even literal matches. So here we disable:
(1) header line processing

[(::)?...]
CHECK_FOR_HEADER = false
priority = 10001

So do i need to add your above given lines below these lines and after making extraction in props.conf file will it be show in Splunk Settings-> Fields -> Fields Extraction ?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...