Hi everyone,
I have data from Cisco ESA similar to this two examples:
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
and
> Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com
Sometimes the "Suspected Domain" part is not a part of the data.
I want to add a field extraction for the "Threat Category" value (in this case "Spam") .
Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")
Regards,
Maik
... View more