Splunk Search

Why can't the new field extractor utility for Splunk 6.2 find the regex for simple extractions?

Cuyose
Builder

I was initially excited about the new field extraction wizard, however the first time I used it, it failed to do one of the easiest field extractions.

For a series of events like this with the order id being different for each even it was unable to extract a field. Highlighting 1871234 and choosing the extraction name just failed to find anything matching.

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234

This has to be some operator error, i can't believe it wouldn't be able to figure this out.

1 Solution

Simon_Fishel
Splunk Employee
Splunk Employee

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

View solution in original post

Simon_Fishel
Splunk Employee
Splunk Employee

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

Cuyose
Builder

I found this out too, if you extract another field in the event, it will then find the second "order ID" extraction. I just find it weird, that a string of digits at the end of each event following the exact same strings wasn't identified on its own.

0 Karma

MillerTime
Splunk Employee
Splunk Employee

We've since fixed this issue with the field extractor and hope to include it in a maintenance or minor release it as soon as possible (I tested against your data and was able to extract the order ID without an anchor).

Simon_Fishel
Splunk Employee
Splunk Employee

It looks like this is a defect in the new field extractor, which has been filed internally. Writing a custom Regex manually is probably the best work-around at the moment. But you can still use the new field extractor UI in manual mode by clicking either "I prefer to write the regular expression myself" or "Show Regular Expression" -> "Edit the Regular Expression" depending on where you are in the flow. That way you will be able to visually preview the results of your Regex before you save it.

musskopf
Builder

Would be easier to create the Regex by your self. If you have only this kind of event in your index you could use something like:

(?P<orderID>\d+)$

But if want to be safer, you might decide to include a bit more of the raw event:

\[INFO\].+Billing successful for order id (?P<orderID>\d+)$

Just go to Splunk Settings -> Fields -> Field Extraction -> "Select the App" and Create a New for the correct Sourcetype

Cheers,

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Could you provide a few more (10-20) representative sample events from the data you're working with?

0 Karma

Cuyose
Builder

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234
2014-10-29 11:30:51,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871235
2014-10-29 11:30:52,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871236
2014-10-29 11:30:53,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871237
2014-10-29 11:30:54,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871238
2014-10-29 11:30:55,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871239
2014-10-29 11:30:56,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871240

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...