Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't the new field extractor utility for Splunk 6.2 find the regex for simple extractions?

Cuyose
Builder
‎10-29-2014 08:54 AM

I was initially excited about the new field extraction wizard, however the first time I used it, it failed to do one of the easiest field extractions.

For a series of events like this with the order id being different for each even it was unable to extract a field. Highlighting 1871234 and choosing the extraction name just failed to find anything matching.

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234

This has to be some operator error, i can't believe it wouldn't be able to figure this out.

Reply
1 Solution
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-29-2014 06:43 PM

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-29-2014 06:43 PM

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

Reply
Solved! Jump to solution

Cuyose
Builder
‎10-29-2014 06:47 PM

I found this out too, if you extract another field in the event, it will then find the second "order ID" extraction. I just find it weird, that a string of digits at the end of each event following the exact same strings wasn't identified on its own.

0 Karma
Reply
Solved! Jump to solution

MillerTime
Splunk Employee
Splunk Employee
‎10-30-2014 01:59 PM

We've since fixed this issue with the field extractor and hope to include it in a maintenance or minor release it as soon as possible (I tested against your data and was able to extract the order ID without an anchor).

Reply
Solved! Jump to solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-29-2014 03:34 PM

It looks like this is a defect in the new field extractor, which has been filed internally. Writing a custom Regex manually is probably the best work-around at the moment. But you can still use the new field extractor UI in manual mode by clicking either "I prefer to write the regular expression myself" or "Show Regular Expression" -> "Edit the Regular Expression" depending on where you are in the flow. That way you will be able to visually preview the results of your Regex before you save it.

Reply
Solved! Jump to solution

musskopf
Builder
‎10-29-2014 03:21 PM

Would be easier to create the Regex by your self. If you have only this kind of event in your index you could use something like:

(?P<orderID>\d+)$

But if want to be safer, you might decide to include a bit more of the raw event:

\[INFO\].+Billing successful for order id (?P<orderID>\d+)$

Just go to Splunk Settings -> Fields -> Field Extraction -> "Select the App" and Create a New for the correct Sourcetype

Cheers,

0 Karma
Reply
Solved! Jump to solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-29-2014 09:20 AM

Could you provide a few more (10-20) representative sample events from the data you're working with?

0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎10-29-2014 10:31 AM

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234
2014-10-29 11:30:51,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871235
2014-10-29 11:30:52,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871236
2014-10-29 11:30:53,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871237
2014-10-29 11:30:54,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871238
2014-10-29 11:30:55,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871239
2014-10-29 11:30:56,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871240

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...