I need to extract the value where "SoftFail" from this example log is.
In related logs, the value is always after an email address, and before (v=spf1). The value always has one space before it. At first glance, looking for a value after email address seems like it could work, but there are many domain possibilities, including those with subdomains so it's hard to use rex based on @ and x amount of .'s)
Is there away to capture like the following?:
Oct 25 21:16:05 x.x.x.x Splunk_PIApp_MailLogs_QDC: Info: MID 92041462 SPF: mailfrom identity foo@bar.com SoftFail (v=spf1)
This will work:
\S@[^\s]+\s+(?<SPF_RESULT>[^ ]+)
See it in action here: https://regex101.com/r/zzf5RJ/1
@octavioserpa,
Try
|rex field=_raw ".*\s(?<SPF_Result>\w+)\s\(v=spf1\)"
OR
|rex field=_raw "(?<SPF_Result>\w+)\s\(v=spf1\)"
Second one is bit expensive 🙂
@octavioserpa, if any of the answers helped you , please accept /upvote or comment here if you need further assistance
Hi octavioserpa,
please remove all IP's or email address before you post log samples 🙂
cheers, MuS
PS: I removed them from this post 😉