- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction for Symantec Mail Security for SM...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
I am currently struggling on extracting field for Symantec Mail Security for SMTP.
The Sample Log looks like as follow (in single log entry):
20110329,7,1=1,11=<IP for Origin Mail Server>,21=<rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>\, <rcpt email address 1>,23=756702,52=M2011032900000716831,22=<Subject>,20=<sender email address 1>,120=36315,2=5
So it seems that in one log entry, recipient emails are consolidated. It is different with Barracuda and Exchange where it every mail transaction separated in one log entry. SO it is quite clear cut to do field extract.
Please advise how can I do the field extract based on this kind of log.
Thank you so much for all your help
Regards
marendra
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are a couple of possibilities, depending on what the rest of your data looks like...
Assuming the possibility of other multi-value fields, then you can extract the full recipient list into an intermediate field. Once you have that, split it into the individual recipients.
transforms.conf:
[mailsec-recipient-list]
# Match starting with option 21, and keep
# going until we hit another option or the end
REGEX = ,21=(.*?)(,\d+=)|$
FORMAT = recipient_list::$1
[mailsec-recipient]
# Split each recipient out from the full list
SOURCE_KEY = recipient_list
MV_ADD = True
REGEX = ([^,\\]+)
FORMAT = recipient::$1
In props.conf:
[mailsec]
# Order matters; make sure that the full list
# gets extracted first...
REPORT-0-mailsec = mailsec-recipient-list
REPORT-1-mailsec = mailsec-recipient
If this is the only multi-value field, and there are no other cases where you have a comma followed by a space, then you can just look for option 21 or a space after the comma:
transforms.conf:
[mailsec-recipient]
REGEX = ,(\s+|(21=))([^,]+)
FORMAT = recipient::$3
MV_ADD = True
props.conf:
[mailsec]
REPORT-mailsec = mailsec-recipient
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi southeringtonp
Fantastic, it works... Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are a couple of possibilities, depending on what the rest of your data looks like...
Assuming the possibility of other multi-value fields, then you can extract the full recipient list into an intermediate field. Once you have that, split it into the individual recipients.
transforms.conf:
[mailsec-recipient-list]
# Match starting with option 21, and keep
# going until we hit another option or the end
REGEX = ,21=(.*?)(,\d+=)|$
FORMAT = recipient_list::$1
[mailsec-recipient]
# Split each recipient out from the full list
SOURCE_KEY = recipient_list
MV_ADD = True
REGEX = ([^,\\]+)
FORMAT = recipient::$1
In props.conf:
[mailsec]
# Order matters; make sure that the full list
# gets extracted first...
REPORT-0-mailsec = mailsec-recipient-list
REPORT-1-mailsec = mailsec-recipient
If this is the only multi-value field, and there are no other cases where you have a comma followed by a space, then you can just look for option 21 or a space after the comma:
transforms.conf:
[mailsec-recipient]
REGEX = ,(\s+|(21=))([^,]+)
FORMAT = recipient::$3
MV_ADD = True
props.conf:
[mailsec]
REPORT-mailsec = mailsec-recipient
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
