Splunk Search

Why does field extraction fail?

jsven7
Communicator

Hi

I'm using field extractor for messages like the one below. The first message is fine. For some reason the extractions do not apply to all of the messages so I have to select the messages that do not work and begin extracting for those as well. When I get to the last field I want in the second message I get this error:

⚠ The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

Why? I do what it tells me to do but no luck. Appreciate the help.

Sample:
Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

View solution in original post

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

jsven7
Communicator

Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Thanks for your response. I want the guys in bold. So I don't even want the "RACF" or "Self Help". I know I can write the code in SPL but I just don't understand why the field extractor works perfectly fine for some messages but then not for others. The format is the same.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...