Splunk Search

Why does field extraction fail?

jsven7
Communicator

Hi

I'm using field extractor for messages like the one below. The first message is fine. For some reason the extractions do not apply to all of the messages so I have to select the messages that do not work and begin extracting for those as well. When I get to the last field I want in the second message I get this error:

⚠ The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

Why? I do what it tells me to do but no luck. Appreciate the help.

Sample:
Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

View solution in original post

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

jsven7
Communicator

Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Thanks for your response. I want the guys in bold. So I don't even want the "RACF" or "Self Help". I know I can write the code in SPL but I just don't understand why the field extractor works perfectly fine for some messages but then not for others. The format is the same.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...