Solved: How do I simplify the regular expression in my fie...

kmaron · ‎01-25-2017

Apparently the field extraction I built using Splunk Web has caused other searches on the same datasets to be horribly slow.

My log looks like this:

[1/25/17 12:57:14:378 EST] 00000eb3 SystemErr     R CIWEB.ICMAPIPlugin Error: [E111111(unknown) @ 99.9.99.999]

All I really want is to single out the plugin name. It always is in the form CIWEB.*name*Plugin. (in this case I just want the ICMAPI piece) It seems to me there should be a much simpler regular expression to identify this than the horribly huge and slow thing I built with Splunk Web.

So far the things I've tried haven't worked either by editing the regex created by Splunk Web or trying to do it in the search.

gokadroid · ‎01-25-2017

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

View solution in original post

gokadroid · ‎01-25-2017

Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):

"CIWEB\.(?<pluginName>.*?)Plugin"

See extraction here

kmaron · ‎01-25-2017

That is perfect! I was so close. Its good to know I was at least on the right track.

Thank you!

How do I simplify the regular expression in my field extraction to improve search performance?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes