Re: Help on construct rex expression

mariaerh · ‎10-30-2013

Hello All,

From a search in Splunk I get this output from the _raw field:

(I have modified a bit the output for privace)

_raw
Oct 27 18:03:25 index-name-here postfix/smtp[xxxx]: 00000000000: to=xxx@xxx.com, relay=xxx.com[x.x.x.x]:xx, delay=0.00, delays=0.00/0.00/0.0/0.00, dsn=0.0.0, status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (in reply to RCPT TO command))

I need to extract this info from the raw data:
status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (some-text-here))

How can I do that using a rex expression on the search?

Thank you!

kristian_kolb · ‎10-31-2013

no, that's default behaviour. no need to specify.

mariaerh · ‎10-31-2013

Thanks all for the answers, I will try and let you know.

One last question, don't I have to include this "field=_raw" right after the command rex ?

kristian_kolb · ‎10-31-2013

didn't the rex above work?

adylent · ‎10-31-2013

You can grab from status to the end of the line like this:

rex "status\=(?<Status>.*)"

OR just the single word like this:

rex "status\=(?<Status>\w)"

mariaerh · ‎10-31-2013

Hello 😃

After status I need to consider the whole value:

status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (in reply to RCPT TO command))

Can I have this in 1 field?

Thank you!

kristian_kolb · ‎10-30-2013

just what do you want to have? all in one field;

...| rex "(?<my_long_field>status=.*)$"

or do you want several smaller pieces?

/K

lukejadamec · ‎10-30-2013

What after status=bounced does the rex need to consider?

Help on construct rex expression

(I have modified a bit the output for privace)

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!