- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: ESA field extraction using regex!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
How to extract the field for the below sample ESA logs.
Sun Jun 11 17:33:36 2017 Info: Double bounce: MID 112011 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up abc.com (MX): KKDOMAIN'
Sun Jun 11 10:30:23 2017 Info: Double bounce: MID 221212 to 0 - 5.4.7 - Delivery expired (message too old) [Default] 451-'Open is not allowed please check'
I need the
field1="Bad destination host" & "Delivery expired (message too old) "
field2="'DNS Hard Error looking up abc.com (MX): KKDOMAIN" & "Open is not allowed please check"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kiran331,
based on the provided examples and based on my assumption that field1 always has the MID 112011 and field2 has the MID 221212 you can use this regex:
MID\s\d+\sto\s\d\s-\s5\.1\.2\s-\s(?<field1>[^\r\n]+)|MID\s\d+\sto\s\d\s-\s5\.4\.7\s-\s(?<field2>[^\r\n]+)
Hope this helps ...
cheers, MuS
Updated after comment ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kiran331,
based on the provided examples and based on my assumption that field1 always has the MID 112011 and field2 has the MID 221212 you can use this regex:
MID\s\d+\sto\s\d\s-\s5\.1\.2\s-\s(?<field1>[^\r\n]+)|MID\s\d+\sto\s\d\s-\s5\.4\.7\s-\s(?<field2>[^\r\n]+)
Hope this helps ...
cheers, MuS
Updated after comment ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MID will be different for each events, is there a way to get the field values after 5.1.2 - OR 5.4.7-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure, see my updated answer 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Mus, Thanks for the solution. Is there a way to update this for all values not only 5.1.2 Or 5.4.7, it has different values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to have them all in the same field name, Yes. Otherwise you would have to use different field names and therefore different regex's for each 5.1.2 or 5.4.7 like number. So for example for matches into one field name you can use this:
MID\s\d+\sto\s\d+\s-\s\d\.\d\.\d\s-\s(?<field>[^\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or you use props.conf and transforms.conf like this:
props.conf
[mySourceType]
REPORT-myDynamicFieldName = myDynamicFieldName
transforms.conf
[myDynamicFieldName]
REGEX = MID\s\d+\sto\s\d+\s-\s(\d\.\d\.\d)\s-\s([^\r\n]+)
FORMAT = fieldname_$1::$2
This will create a dynamic field name like fieldname_5.1.2 or fieldname_5.4.7 in search time ...
Maybe this helps?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
