Splunk Inc.
Extraction rule validation

Abstract:

Embodiments of the present invention are directed to validating extraction rules. In embodiments, a set of events for which field extraction is desired is obtained. Thereafter, an extraction rule is applied to the set of events to extract fields of the events. The application of the extraction rule can be monitored to determine that the applied extraction rule is invalid. Based on the applied extraction rule being invalid, a new extraction rule can be generated to apply to the set of events.