No regex could be learned. Try providing different...

hikari992 · ‎05-01-2013

Hi everyone, I'm quite new to splunk.
I encounter this error message "No regex could be learned. Try providing different examples or restriction." while I was trying to extract longitude value using the Interactive field extractor. But I was able to extract Latitude value and this is the regex for the Latitude value that display in the props.conf file "EXTRACT-Latitude = (?i).Double">(?P[^<]+)". Please help me. Thank you.

kristian_kolb · ‎05-02-2013

1.4004771683629058/d:latitude
103.8579338813216/d:longitude

Given the data format above, I would choose to do like so;

props.conf

[your_sourcetype]
EXTRACT-lat = >(?<latitude>[^<]+)</d:latitude
EXTRACT-long = >(?<longitude>[^<]+)</d:longitude

/K

Ayn · ‎05-02-2013

Just use the Latitude extraction as a template here, change latitude for longitude in both places and you should be good to go.

Ayn · ‎05-02-2013

Oh, right. Didn't see that 🙂

kristian_kolb · ‎05-02-2013

Problem is that the EXTRACT in the original question would capture both long and lat, calling them both latitude (or just keeping one of them if it's not a multi-valued field).

hikari992 · ‎05-02-2013

Hi, it's a xml data.
1.4004771683629058/d:Latitude
103.8579338813216/d:Longitude

Ayn · ‎05-01-2013

Log samples please? Hard to tell you what your regular expression should look like otherwise.

No regex could be learned. Try providing different examples or restriction.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms