Solved: Different field value result - props.conf versus r...

Derek · ‎07-02-2010

I have an event that is coming from a Windows forwarder. When you view the event in the log file on the server it looks like this:

---- log entry made at 07/02/2010 09:15:00
Incoming SMTP call from a.b.c.d at 09:15:00.
Message B021531231236@int2.mydomain.com received at 09:15:00 from mail1.outsidedomain.com (unverified [a.b.c.d]).
Size: 18842 bytes
Return-path: Reports@domainA.com
Recipients: joe.smith@mig.mydomain.com,
Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.

When you search for the event in splunk web it looks the same.

If I use rex in search to get the Return-path using: (?i)\-path: (?P<from>.*) I get the proper values 'Reports@domainA.com', but if I put the regex into props.conf for that field I'm getting 'Reports@domainA.comRecipients: joe.smith@mig.mydomain.com, Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.'

Is it possible for splunk web to be putting a newline in or something like that?

gkanapathy · ‎07-02-2010

Change it to:

(?i-s)-path: (?P<from>.*)

or:

(?i)-path: (?P<from>\V*)

\V is "not vertical whitespace character"

View solution in original post

gkanapathy · ‎07-02-2010

Change it to:

(?i-s)-path: (?P<from>.*)

or:

(?i)-path: (?P<from>\V*)

\V is "not vertical whitespace character"

gkanapathy · ‎07-03-2010

basically, the difference is that rex apparently has the (?s) option on by default, and props.conf does not. this determines whether . matches newlines. the first example turns off the option, the second makes it irrelevant.

Different field value result - props.conf versus rex - using same regular expression

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!