Apparently the field extraction I built using Splunk Web has caused other searches on the same datasets to be horribly slow.
My log looks like this:
[1/25/17 12:57:14:378 EST] 00000eb3 SystemErr R CIWEB.ICMAPIPlugin Error: [E111111(unknown) @ 99.9.99.999]
All I really want is to single out the plugin name. It always is in the form CIWEB.*name*Plugin
. (in this case I just want the ICMAPI piece) It seems to me there should be a much simpler regular expression to identify this than the horribly huge and slow thing I built with Splunk Web.
So far the things I've tried haven't worked either by editing the regex created by Splunk Web or trying to do it in the search.
Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):
"CIWEB\.(?<pluginName>.*?)Plugin"
Try this regex below and see if this makes it any faster than current scenario ( as this one takes 29 steps to match that string from your sample string):
"CIWEB\.(?<pluginName>.*?)Plugin"
That is perfect! I was so close. Its good to know I was at least on the right track.
Thank you!