Splunk Search

Why can't the new field extractor utility for Splunk 6.2 find the regex for simple extractions?

Cuyose
Builder

I was initially excited about the new field extraction wizard, however the first time I used it, it failed to do one of the easiest field extractions.

For a series of events like this with the order id being different for each even it was unable to extract a field. Highlighting 1871234 and choosing the extraction name just failed to find anything matching.

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234

This has to be some operator error, i can't believe it wouldn't be able to figure this out.

1 Solution

Simon_Fishel
Splunk Employee
Splunk Employee

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

View solution in original post

Simon_Fishel
Splunk Employee
Splunk Employee

Alternatively, you can sometimes get a better match by choosing a field closer to the middle of the event to "anchor" the Regex. I was able to get things working with your sample data by first extracting the line number and then the order id.

Cuyose
Builder

I found this out too, if you extract another field in the event, it will then find the second "order ID" extraction. I just find it weird, that a string of digits at the end of each event following the exact same strings wasn't identified on its own.

0 Karma

MillerTime
Splunk Employee
Splunk Employee

We've since fixed this issue with the field extractor and hope to include it in a maintenance or minor release it as soon as possible (I tested against your data and was able to extract the order ID without an anchor).

Simon_Fishel
Splunk Employee
Splunk Employee

It looks like this is a defect in the new field extractor, which has been filed internally. Writing a custom Regex manually is probably the best work-around at the moment. But you can still use the new field extractor UI in manual mode by clicking either "I prefer to write the regular expression myself" or "Show Regular Expression" -> "Edit the Regular Expression" depending on where you are in the flow. That way you will be able to visually preview the results of your Regex before you save it.

musskopf
Builder

Would be easier to create the Regex by your self. If you have only this kind of event in your index you could use something like:

(?P<orderID>\d+)$

But if want to be safer, you might decide to include a bit more of the raw event:

\[INFO\].+Billing successful for order id (?P<orderID>\d+)$

Just go to Splunk Settings -> Fields -> Field Extraction -> "Select the App" and Create a New for the correct Sourcetype

Cheers,

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Could you provide a few more (10-20) representative sample events from the data you're working with?

0 Karma

Cuyose
Builder

2014-10-29 11:30:50,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871234
2014-10-29 11:30:51,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871235
2014-10-29 11:30:52,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871236
2014-10-29 11:30:53,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871237
2014-10-29 11:30:54,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871238
2014-10-29 11:30:55,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871239
2014-10-29 11:30:56,917 - [INFO] - from application in play-akka.actor.actions-dispatcher-21
LitleBatchRequest->processReceived() line 738 : Billing successful for order id 1871240

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...