Hello harsmarvania57,

Thanks you for your regex search, however i still can't show the results on table format, it shows nothing else than the column names.
There is no returned values under.

I was able to find until this :

 index=* OR index=_* sourcetype=test_bla | rex field=_raw "From: (?.*) Subject: (?.*)"  | table  from, subject

But yours seems better because it allows multiline seems ?
Still nothing as output in table.

 index=* OR index=_* sourcetype=test_bla | rex field=_raw "(?s)From\:\s(?<from>[^\v]*)\nTo\:\s(?<to>[^\v]*)\n[^\n]*\nSubject\:(?<subject>[^\v]*)"| table  from, subject

But that seems to be the way to go if manual extraction doesn't work ... Mmmh.
scratching head

If you want result in table format then please add | table from, to, subject at end of splunk query which I have provided.

I did it, and it shows null as results. But there is definitely the columns.
Following line :

index=* OR index=_* sourcetype=test_bla | rex field=_raw "(?s)From\:\s(?<from>[^\v]*)\nTo\:\s(?<to>[^\v]*)\n[^\n]*\nSubject\:(?<subject>[^\v]*)" | table from, to, subject

Can you please try below query

index=* OR index=_* sourcetype=test_file_fabien_dmarc | rex field=_raw "From\:\s(?<from>[^\v]*)\nTo\:\s(?<to>[^\v]*)\n[^\n]*\nSubject\:\s(?<subject>[^\v]*)" | table from, to, subject

Actually still null values, it shows nothing below.
Probably due to others logs that are interfering with this example, but they are all alike.

If you have any format issue for example extra space or extra lines in your logs while matching that particular regex then it will give you null values, so it is difficult to help on this but you can try Run anywhere search which I have provided and adjust regex based on your actual logs.

Going to provide bigger example, to see difference.
Anyway the "run anywhere" is the regex example ? or something else ?

Run anywhere search query, you can run on any splunk instance without ingesting any data in splunk so it's like playing with dummy data without indexing those data in splunk.

I was wondering, since i settled a "From -" delimiter, maybe i should do a field_extractor with a "new line" delimiter and not a regex ? I can't find the "new line" command for that. Instead of space / tab / , / Pipe / just going to other with new line ?

The begginning of the log event every "From -" refers to one entire log case, but seems to start identically ? Maybe u got a better idea ?

From - Thu Feb 10 18:09:00 2019
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <blababla@hotmail.com>
Received: from lmtpproxyd (iPod [8.8.8.8])
     by backend (Cyrus v1.1.1) with LMTPA;
     Fri, 17 Nov 2017 00:00:01 +0100
X-Sieve: CMU Sieve 1.1
Received: from iPod.blabla.com (localhost [127.0.0.1])
     by iPod (Cyrus v1.1-blabla) with LMTPA;
     Fri, 17 Nov 2017 00:00:01 +0100
Received: from localhost (localhost [127.0.0.1])
    by iPod.blabla.com (Postfix) with ESMTP id GGEH767538
    for <ress@iPod.blabla.com>; Fri, 17 Nov 2017 00:00:01 +0100 (CET)
X-Virus-Scanned: amavisd-new at blablablba.blablabla.com
Received: from iPod.blabla.com ([127.0.0.1])
    by localhost (iPod.blabla.com [127.0.0.1]) (amavisd-new, port 10000)
    with ESMTP id fzrfrfUG978 for <ress@iPod.blabla.com>;
    Fri, 17 Nov 2017 00:00:01 +0100 (CET)
Received: from pfejfhr.com (unknown [78.78.78.78])
    by iPod.blabla.com (Postfix) with ESMTP id 675GHKGG
    for <ress@blablablba.blablabla.com>; Fri, 17 Nov 2017 00:00:01 +0100 (CET)
Received: from mail.blablablba.blablabla.com (unknown [76.76.76.76])
    by pfejfhr.com (Postfix) with ESMTP id HYFTT7ehjzhgfee
    for <ress@blablablba.blablabla.com>; Fri, 17 Nov 2017 00:00:01 +0100 (CET)
Received: from mail.blablablba.blablabla.com (localhost.localdomain [127.0.0.1])
    by localhost (Postfix) with SMTP id T6568TYIG
    for <ress@blablablba.blablabla.com>; Fri, 17 Nov 2017 00:00:01 +0100 (CET)
Received: from heuoh.hotmail.com (heuoh.hotmail.com [54.54.54.54])
    by mail.blablablba.blablabla.com (Postfix) with ESMTP id GYYE76557G
    for <ress@blablablba.blablabla.com>; Fri, 17 Nov 2017 00:01:01 +0100 (CET)
Received: from huhuhu.effe.com ([65.54.190.199]) by heuoh.hotmail.com with Microsoft SMTPSVC(7.4.6600.23002);
     Thu, 16 Nov 2017 00:00:01 -0800
Received: from mail pickup service by huhuhu.effe.com with Microsoft SMTPSVC;
     Thu, 16 Nov 2017 00:00:01 -0800
Date: Thu, 16 Nov 2017 00:00:01 -0800 
From: blababla@hotmail.com
Subject: balblabla#ydgOUAI : blblbblcookie.
To: ress@blablablba.blablabla.com
MIME-Version:  1.0 
Content-Type: multipart/report; report-type=feedback-report; boundary="8D57E08F-48E4-4B4A-BA1C-8FF7C1764CFF"
Message-ID: <jhegufhrfhrfr@huhuhu.effe.com>
X-OriginalArrivalTime: 17 Nov 2017 00:00:01.0098 (UTC) FILETIME=[F2BF3E60:01D35F48]
X-PMX-SpamDetected: [PMX:8%] balblabla#ydgOUAI : blblbblcookie.

--8D57E08F-48E4-4B4A-BA1C-8FF7C1764CFF
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

This is an email abuse report for an email message received from IP 1.1.1.1 on Thu, 16 Nov 2017 00:00:01 -0800.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.

--8D57E08F-48E4-4B4A-BA1C-8FF7C1764CFF
Content-Type: message/feedback-report

Feedback-Type: auth-failure
User-Agent: XMR/2.2
Version: 1.0
Original-Mail-From: <youhououuu@renegade.com>
Arrival-Date: Thu, 16 Nov 2017 00:00:01 -0800
Message-ID: <65658YFYIRF655YYYF.UTGIYF5658@renegade.com>
Authentication-Results: hotmail.com; spf=fail (sender IP is 1.1.1.1; identity alignment result is pass and alignment mode is strict) smtp.mailfrom=youhououuu@renegade.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=renegade.com; x-hmca=fail header.id=youhououuu@renegade.com
Source-IP: 1.1.1.1
Auth-Failure: spf
Reported-Domain: renegade.com
DKIM-Domain: renegade.com

--8D57E08F-48E4-4B4A-BA1C-8FF7C1764CFF
Content-Type: message/rfc822
Content-Disposition: inline

Authentication-Results: hotmail.com; spf=fail (sender IP is 1.1.1.1; identity alignment result is pass and alignment mode is strict) smtp.mailfrom=youhououuu@renegade.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=renegade.com; x-hmca=fail header.id=youhououuu@renegade.com
X-Envelope-Sender: youhououuu@renegade.com
X-SID-PRA: youhououuu@renegade.com
X-AUTH-Result: FAIL
X-SID-Result: FAIL
Received: from hostouaiiiii.mailouaiiii.com ([1.1.1.1]) by BLIPe887.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
     Thu, 16 Nov 2017 00:00:01 -0800
Received: from smtp-auth.mailouaiiii.com ([87.87.87.23])
    by efzrfrgge.mailouaiiii.com with esmtp (Exim 4.89)
    (envelope-from <youhououuu@renegade.com>)
    id jhegeu-hgh
    for spammerbadboy@hotmail.com; Fri, 17 Nov 2017 00:00:01 +0100
Received: from renegade.com (unknown [12.12.33.32])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by smtp-auth.mailouaiiii.com (Postfix) with ESMTPSA id 1232DC2FE9
    for <spammerbadboy@hotmail.com>; Fri, 17 Nov 2017 03:07:32 +0100 (CET)
From: renegade.com<youhououuu@renegade.com>
To: "Red" <srgre@outlook.com>
Subject: balblabla#ydgOUAI : blblbblcookie.
Date: 17 Nov 2017 03:07:39 +0100
Message-ID: <65658YFYIRF655YYYF.UTGIYF5658@renegade.com>
MIME-Version: 1.0
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: 87.87.87.23
X-SpamExperts-Domain: mailouaiiii.com
X-SpamExperts-Username: 90.90.90.90/27
Authentication-Results: mailouaiiii.com; auth=pass smtp.auth=90.90.90.90/27@mailouaiiii.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.51)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5h8jPBsH8AXTv5biUPnlg/4Xv9krsgRhBn0ayn6qsUc7fKouoqPotlcx
 w1CZuqV//N6//ra/0IXHcpXLHLcIt+727z1AETIt1d8NESjfm95H4pWx7WxWFZpsjT/483ewglXS
 iqAO3UGYFyfgyfutFTUFYFfLg80aI/D69J4dYd4mlPGX/gfakiT80rH2R1nK5Mq48wcqk7YXS1e9
 q26ZcNF3f5xpTAUNMQ0JJgP0v15b4l490+CiPV9xHZNVQA/62sZtHl44dRHX+f+pVvORpcfgRcGA
 xD53rdbVx7JJx2IYJdMTLbKU5f7N/dQQ0GGSHGgyfgtFGYgiygiym+juwkfoj2B2N3DSVgv38u8+
 t+t51SWoTwCEQ1iynJbJ7P7ziN9fxN2oReTDHAyOynaY0Cm9GSCRG+Eiv14lFqrDnOjXLz/dsiah
 Q1DFoGJGH4QvNC6AayTjsGL669fZD7D9o6H5eVLZgA3W7yTT6rezlHpqs5hBGjwEbZdPzd12b7Yv
 JzS8cnLAwfWUw6S9kJBenxgtuhuehfuzrhuhzrfhHGYFHGGudgeygyefgfgHPQJZCs/48fajDH/5
 X+XFuChdbNtxb+5tGKEiGYEJWopcWpnCjjVFI5FTJNPttA+hfulRl4SLN5qz1ghVlBoloVTbI/EZ
 qJNdbvPaUyoCdu6Y7CHS48ade76lYemv+sknU77Qnj29Lh3NxbPtv/Yy5hM3iLADs/wCD8Eg78ij
 L9d9letS5jWvfTby+iIVYhriWeNtOj2ofGTVM8CU8UIQtsCTCCl+pvlHhV6a5QjptwQBGybQXyCh
 URdBQ9UAcX6GOWZZNr01UHzsbWCkxrFH2s6+t1uRfRdJ/ob367BEFFX/6GsCYQ/4lg9Ffvqg9IG0
 EE8tjM65b03QosTYiGfk313VOCz5HmmMbILBxzzwsvQJ3rmJbvfynFdfLp7o1YC4+weDK/Y4ocfm
 Wv3Fe9Iziczdq+A=
X-Report-Abuse-To: spamfrr@zrfrege.mailouaiiii.com
Return-Path: youhououuu@renegade.com
X-OriginalArrivalTime: 17 Nov 2017 00:00:01.0649 (UTC) FILETIME=[F203B690:01D35F48]

<!doctype html>
<html>
  <head>
    <meta name=3D"viewport" content=3D"width=3Ddevice-width" />
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8=
" />
    <title>Simple Email</title>
    <style>
    </style>
  </head>
  <body class=3D"">
    <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" class=3D"body">=

      <tr>
        <td> </td>
        <td class=3D"container">
          <div class=3D"content">

            <!-- START CENTERED WHITE CONTAINER -->
            <span class=3D"preheader">This is preheader text. Some clients =
will show this text as a preview.</span>
            <table class=3D"main">

              <!-- START MAIN CONTENT AREA -->
              <tr>
                <td class=3D"wrapper">
                  <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0">
                    <tr>
                      <td>
                        <p>balblabalblablablabalbal </p>
                        <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg9,
rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg=
rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</p>
                          <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg
rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</p>
                          <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</p>
                          <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg.</p>
                        <table border=3D"0" cellpadding=3D"0" cellspacing=
=3D"0" class=3D"btn btn-primary">
                          <tbody>
                            <tr>
                              <td align=3D"left">
                                <table border=3D"0" cellpadding=3D"0" cells=
pacing=3D"0">
                                  <tbody>
                                    <tr>
                                      <td> <a href="rrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</a> </td>
                                    </tr>
                                  </tbody>
                                </table>
                              </td>
                            </tr>
                          </tbody>
                        </table>
                        <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</p>
                        <p>rrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergergrrzgrgegegergerg</p>

                        <p>renegade.com</p>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>

            <!-- END MAIN CONTENT AREA -->
            </table>

            <!-- START FOOTER -->
            <div class=3D"footer">
              <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0">
                <tr>
                  <td class=3D"content-block">
                    <span class=3D"apple-link"</span>
                    &lt;br/&gt;  <a href=3D""></a>.
                  </td>
                </tr>
                <tr>
                  <td class=3D"content-block powered-by">
                     <a href=3D""></a>.
                  </td>
                </tr>
              </table>
            </div>
            <!-- END FOOTER -->
=20=20=20=20=20=20=20=20=20=20=20=20
          <!-- END CENTERED WHITE CONTAINER -->
          </div>
        </td>
        <td> </td>
      </tr>
    </table>
  </body>
</html>


--8D57E08F-48E4-4B4A-BA1C-8FF7C1764CFF--

To break events correctly I'll suggest to use LINE_BREAKER parameter in props.conf

While looking at another sample data which you have provided, logs doesn't have consistence order of From, To, Subject etc. and due to that we can't use single regex to extract those fields. We can achieve this with multiple regex.

So something like this

<yourBaseSearch>
| rex field=_raw "From\:\s(?<from>[^\v]*)" max_match=0
| rex field=_raw "To\:\s(?<to>[^\v]*)" max_match=0
| rex field=_raw "Subject\:\s(?<subject>[^\v]*)" max_match=0
| rex field=_raw "Message-ID\:\s(?<message_id>[^\v]*)" max_match=0
| table from, to ,subject, message_id

Magically it seems to work 😄
That means separating regex allows multiple returns ... interresting !

Long way to learn still ... thanks you !

I'm going to have a look at props.conf for curiosity.

One question, i used a event delimiter as "From -" but when i want to use field_extractor i can choose either do it with regex or a delimiter.

Is there a line type field delimiter instead of space / , / Tab / Pipe ?
Maybe that would solve this problem.

I noticed that Splunk doesn't like when there are multiple "From :" answers in a same log. I didn't expect to be blocked this badly. Isn't there a way to gather and list all of the different values of "From", "To", "Subject" even if they are different ?