I have come across a strange issues with regex extractions - the information I'm trying to extract seems to be only extracting some of the time. I have an automated report which uses a lookup list of orderIDs to find all events that contain the orderIDs in the list and then uses regex extractions to extract key fields. Each id could have up to 16 events related to it - and for each series of events there will be a telephone number and a serviceID located in the xmls. While checking over my report to ensure that the information was correct I discovered that for some series of events, the telephone number was being extracted but the serviceID was not - I have looked at the xmls for theses and confirmed that the field is definitely present. To ensure that my regex was correct I then ran my entire search that is used to create the report but replaced the lookup input with the OrderID and lo and behold the serviceID was extracted and could be found in the interesting fields. I have checked that the formatting of the xmls are the same (they are) but I cannot think what other reason there could be for these extractions working some of the time. Any ideas?
***Updated*** As a further test I have created a lookup list of an ID which is experiencing the extraction problem and an ID for which all information is extracting - when this list is placed into my search all events are returned and all extractions are successful - could this been an issue with the size of my data and Splunk is cutting down my results? The original lookup list has 450 IDs and the query which used it as input returned 473 events
