Splunk Search
Highlighted

Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

New Member

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Select Fields
Highlight one or more values in the sample event to create fields. You can indicate one value is required, meaning it must exist in an event for the regular expression to match. Click on highlighted values in the sample event to modify them. To highlight text that is already part of an existing extraction, first turn off the existing extractions. Learn more
Feb 14 14:44:18 exnet-01a.intechnologywifi.com local1 events: EventType[Area Change] MAC[00:B3:62:BE:8E:B7] Details: Area[SS1 - CCTV193 - Eastern Esplanade]
Feb 10 13:56:29 exnet-01a.intechnologywifi.com local1 events: EventType[Area Change] MAC[A4:E4:B8:6E:DD:D2] Details: Area[SS1 - Leigh On Sea Community Centre]

0 Karma
Highlighted

Re: Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

Champion

Here is a solution to the regex, which considers the middle - somestring to be optional:

https://regex101.com/r/TrXBUL/1

As for why your regex caused that error, you'd need to post the regex you used for anyone to give you an answer.

Updated link that also grabs the middle value:

https://regex101.com/r/TrXBUL/4

It was just a case of adding a named capture group for the portion of the optional group up until the space.

View solution in original post

0 Karma
Highlighted

Re: Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

New Member

that's solved it thanks. how would I extract the previous field which may or may not exist in the string ie. CCTV193 in this case

0 Karma
Highlighted

Re: Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

Champion

Edited my answer with a new link to meet that need.

0 Karma
Highlighted

Re: Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

New Member

excellent thanks - I'd nearly worked it out!

0 Karma