I have an event that is coming from a Windows forwarder. When you view the event in the log file on the server it looks like this:
---- log entry made at 07/02/2010 09:15:00
Incoming SMTP call from a.b.c.d at 09:15:00.
Message B021531231236@int2.mydomain.com received at 09:15:00 from mail1.outsidedomain.com (unverified [a.b.c.d]).
Size: 18842 bytes
Return-path: Reports@domainA.com
Recipients: joe.smith@mig.mydomain.com,
Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.
When you search for the event in splunk web it looks the same.
If I use rex in search to get the Return-path using: (?i)\-path: (?P<from>.*)
I get the proper values 'Reports@domainA.com', but if I put the regex into props.conf for that field I'm getting 'Reports@domainA.comRecipients: joe.smith@mig.mydomain.com, Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.'
Is it possible for splunk web to be putting a newline in or something like that?
Change it to:
(?i-s)-path: (?P<from>.*)
or:
(?i)-path: (?P<from>\V*)
\V
is "not vertical whitespace character"
Change it to:
(?i-s)-path: (?P<from>.*)
or:
(?i)-path: (?P<from>\V*)
\V
is "not vertical whitespace character"
basically, the difference is that rex apparently has the (?s)
option on by default, and props.conf does not. this determines whether .
matches newlines. the first example turns off the option, the second makes it irrelevant.