Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting this error trying to extract 2 strings? "The extraction failed. If you are extracting multiple fields, try removing one or more fields..."

sunnyparmar
Communicator
‎09-09-2015 01:03 AM

Hi,

I am using Splunk 6.2 and when going to extract the field, it is giving me the following error:

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

My data is something like given below and I want to make an extraction for two events i.e. Sending reply for message and reply message sent, but getting the above pasted error. Please suggest how to resolve this issue.

DEBUG [main] 09-08 12:30:26 Sending reply for message [mail box: xyz@basware.com, sender: abc@basware.com, subject: Email Fetcher Performance Testing <<< current timestamp: 1441715338532 >>>] (Sending.java:309)
DEBUG [main] 09-08 12:30:26 validating velocity Template path... (Sending.java:508)
DEBUG [main] 09-08 12:30:26 reply message sent. (Sending.java:392)

Thanks

Tags (2)
0 Karma
Reply

tskinnerivsec
Contributor
‎09-09-2015 10:04 AM

What does your current extraction look like in your props.conf file? Exactly what text in those events are you trying to assign a field to? Are you trying to create fields for sender, and subject? if so, then you would do something like this in your props.conf file:

[sourcetype_name] # this will be whatever sourcetype you have assigned to these events
EXTRACT-kv_event = \[mail\sbox\:\s(?[^\,]+)\,\ssender\:\s(?[^\,]+)\,\ssubject\:\s(?[^\<]+)\<

This would extract the fields mailbox,sender and subject out of your event.

Just a note, this site's formatting wrapped the code a little weird. The above is 2 lines of code, the first line ends with the comment and the 2nd line starts with the EXTRACT-kv_event string.

0 Karma
Reply

sunnyparmar
Communicator
‎09-10-2015 12:37 AM

thanks for replying but i want to extract these two events ("Sending reply for message" & "reply message sent") from above given logs so could you tell me please how to make entries of these two events in props.conf file and my props.conf file is looking like with the below entries -

Version 6.2.1
Stanza that matches every string , using a property over 100
enables us to override even literal matches. So here we disable:
(1) header line processing

[(::)?...]
CHECK_FOR_HEADER = false
priority = 10001

So do i need to add your above given lines below these lines and after making extraction in props.conf file will it be show in Splunk Settings-> Fields -> Fields Extraction ?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...