Splunk Search

Why does field extraction fail?

jsven7
Communicator

Hi

I'm using field extractor for messages like the one below. The first message is fine. For some reason the extractions do not apply to all of the messages so I have to select the messages that do not work and begin extracting for those as well. When I get to the last field I want in the second message I get this error:

⚠ The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

Why? I do what it tells me to do but no luck. Appreciate the help.

Sample:
Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

View solution in original post

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

jsven7
Communicator

Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Thanks for your response. I want the guys in bold. So I don't even want the "RACF" or "Self Help". I know I can write the code in SPL but I just don't understand why the field extractor works perfectly fine for some messages but then not for others. The format is the same.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...