Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why can't the new field extractor utility for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was initially excited about the new field extraction wizard, however the first time I used it, it failed to do one of the easiest field extractions.
For a series of events like this with the order id being different for each even it was unable to extract a field. Highlighting 1871234 and choosing the extraction name just failed to find anything matching.
2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234
This has to be some operator error, i can't believe it wouldn't be able to figure this out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this out too, if you extract another field in the event, it will then find the second "order ID" extraction. I just find it weird, that a string of digits at the end of each event following the exact same strings wasn't identified on its own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've since fixed this issue with the field extractor and hope to include it in a maintenance or minor release it as soon as possible (I tested against your data and was able to extract the order ID without an anchor).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like this is a defect in the new field extractor, which has been filed internally. Writing a custom Regex manually is probably the best work-around at the moment. But you can still use the new field extractor UI in manual mode by clicking either "I prefer to write the regular expression myself" or "Show Regular Expression" -> "Edit the Regular Expression" depending on where you are in the flow. That way you will be able to visually preview the results of your Regex before you save it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would be easier to create the Regex by your self. If you have only this kind of event in your index you could use something like:
(?P<orderID>\d+)$
But if want to be safer, you might decide to include a bit more of the raw event:
\[INFO\].+Billing successful for order id (?P<orderID>\d+)$
Just go to Splunk Settings -> Fields -> Field Extraction -> "Select the App" and Create a New for the correct Sourcetype
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide a few more (10-20) representative sample events from the data you're working with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234
2014-10-29 11:30:51,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871235
2014-10-29 11:30:52,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871236
2014-10-29 11:30:53,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871237
2014-10-29 11:30:54,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871238
2014-10-29 11:30:55,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871239
2014-10-29 11:30:56,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871240
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
