Splunk Search

Why does field extraction fail?

jsven7
Communicator

Hi

I'm using field extractor for messages like the one below. The first message is fine. For some reason the extractions do not apply to all of the messages so I have to select the messages that do not work and begin extracting for those as well. When I get to the last field I want in the second message I get this error:

⚠ The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

Why? I do what it tells me to do but no luck. Appreciate the help.

Sample:
Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

View solution in original post

sundareshr
Legend

I have seen this error before as well. From what I can tell, Splunk tries to build regex using very generic expressions. So, in your example, the regex for, say extracting (RACF) & extracting (Self Help) would be very similar and that confuses Splunk. Hence the error. Your best course would be to write your own regex to extract the fields. If you can be a bit more specific about the fields you would like to extract, I can try and help with regex.

jsven7
Communicator

Oct 5 02:44:54 rlay256-x7t0 : 2015-10-05,2:44:54, PUY1234, rlay256-x7t0, 12.123.1.2, 123.123.12.12, 123456, P.RDP.Signed (Old),"P.RDP.c3 Priv Win 4.1.2,
Password Change (RACF), Password Reset (Self Help)",Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,,,,,,Login succeeded for 123.123.12.12/P.RDP.Signed (Old) (session:00000000)

Thanks for your response. I want the guys in bold. So I don't even want the "RACF" or "Self Help". I know I can write the code in SPL but I just don't understand why the field extractor works perfectly fine for some messages but then not for others. The format is the same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...