Extract into dudup_key occasionally doesn't work.


I’m using the PagerDuty app for Splunk and sending events to the global queue for routing & deduplication.

I have configured global rules to extract the description & dedup_key fields from the event using a simple regex (.*). The description extraction works as I can see the summary name keep changing. The dedup_key extraction however doesn’t appear to work and as a result all alerts are being attached to a single incident because the default dedup_key is the Splunk search name.

Hi Brendan,

It looks like you may have an underscore character in this field that is interfering with your regex and causing it to match more than once. When there isn’t a single match, the dedup key field extraction will fail. In this particular case, it looks like you also passed in a dedup_key value in the payload, so it defaulted back to that one once the rule failed.

I would recommend adding a ^ at the start of your regex to ensure a single match: ^(.*)

1 Like

Hi Paul,

Yes the dudup field usually has a underscore. I’ve changed the regex to ^(.*) as suggested and I’ll test it shortly. Thanks for the information.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.