Splunk Search

Why am I receiving this error when I am trying to extract a streetname which can appear either with or without another field in front of it in the input stream?

ajobling1964
New Member

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Select Fields
Highlight one or more values in the sample event to create fields. You can indicate one value is required, meaning it must exist in an event for the regular expression to match. Click on highlighted values in the sample event to modify them. To highlight text that is already part of an existing extraction, first turn off the existing extractions. Learn more
Feb 14 14:44:18 exnet-01a.intechnologywifi.com local1 events: EventType[Area Change] MAC[00:B3:62:BE:8E:B7] Details: Area[SS1 - CCTV193 - Eastern Esplanade]
Feb 10 13:56:29 exnet-01a.intechnologywifi.com local1 events: EventType[Area Change] MAC[A4:E4:B8:6E:DD:D2] Details: Area[SS1 - Leigh On Sea Community Centre]

0 Karma
1 Solution

micahkemp
Champion

Here is a solution to the regex, which considers the middle - somestring to be optional:

https://regex101.com/r/TrXBUL/1

As for why your regex caused that error, you'd need to post the regex you used for anyone to give you an answer.

Updated link that also grabs the middle value:

https://regex101.com/r/TrXBUL/4

It was just a case of adding a named capture group for the portion of the optional group up until the space.

View solution in original post

0 Karma

micahkemp
Champion

Here is a solution to the regex, which considers the middle - somestring to be optional:

https://regex101.com/r/TrXBUL/1

As for why your regex caused that error, you'd need to post the regex you used for anyone to give you an answer.

Updated link that also grabs the middle value:

https://regex101.com/r/TrXBUL/4

It was just a case of adding a named capture group for the portion of the optional group up until the space.

0 Karma

ajobling1964
New Member

that's solved it thanks. how would I extract the previous field which may or may not exist in the string ie. CCTV193 in this case

0 Karma

ajobling1964
New Member

excellent thanks - I'd nearly worked it out!

0 Karma

micahkemp
Champion

Edited my answer with a new link to meet that need.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...