Re: How to combine Fw: and Fwd in email Subjects

smurfy_91 · ‎11-08-2017

Let's say I had used a search like:

index=mail RecipientUserDomain=user@domain.com | stats count by Subject | sort-count |

and returned results such as:

Subject

Fwd: This is a subject
Fw: This is a subject
Random Subject
Fwd: Another subject
Different Subject
Fw: Another Subject

What can I use to remove the "Fwd:" & "Fw:" from the Subject to combine the counts?

richgalloway · ‎11-08-2017

There are a few ways to do that.

... | replace "Fw*: " with "" in Subject | stats ...

... | rex field=Subject mode=sed "s/Fwd?:\s(.*)/\1/" | stats ...

... | rex field=Subject "Fwd?: (?<Subject>.*)" | stats ...

---
If this reply helps you, Karma would be appreciated.

koshyk · ‎11-08-2017

Please have a try

index=mail RecipientUserDomain=user@domain.com | rex field=Subject "(Fw(.?)\:(\s+))?(?<mysubject>.+)" | stats count by mysubject | sort -count

Example

|makeresults| eval Subject="Fwd: This is a subject||Fw: This is a subject||Random Subject||Fwd: Another Subject||Different Subject||Fw: Another Subject"| makemv delim="||" Subject | mvexpand Subject | rex field=Subject "(Fw(.?)\:(\s+))?(?<mysubject>.+)" | stats count by mysubject | sort -count

https://regex101.com/r/U1N8xw/1

How to combine Fw: and Fwd in email Subjects

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk