I'm looking at sendmail logs and I'm trying to pull out a portion of the domain name based on the relay.
I've testing using rex and have arrived at the following command.
index=mail stat relay | rex "relay=([a-zA-Z0-9-]+\.)*(?<test123>([a-zA-Z0-9-]+\.){1}((ab|bc|mb|nb|nf|nl|ns|nt|nu|on|pe|qc|sk|yk).)?([a-zA-Z0-9-]+))(s)?" | table test123
With a log line that looks like this
Nov 12 22:24:37 some.mail.host Nov 12 22:24:37 sendmail[9056]: sAD5OZKS011800: to=********@gov.ab.ca, delay=00:00:02, xdelay=00:00:01, mailer=smtp, pri=66484, relay=something.gov.ab.ca. [XXX.XXX.XXX.XXX], dsn=2.0.0, stat=Sent (ok: Message 54730621 accepted)
Nov 13 09:34:13 some.mail.host Nov 13 09:34:13 sendmail[30002]: sADGYCM5028904: to=something@example.com, ctladdr=somethingelse@example.com (999/25), delay=00:00:01, xdelay=00:00:01, mailer=smtp, pri=37906, relay=aspmx.l.google.com. [XXX.XXX.XXX.XXX], dsn=2.0.0, stat=Sent (OK 1415896453 63si40410316iol.79 - gsmtp)
Two sample relays are
something.gov.ab.ca
something.blah.google.com
In testing I end up with ab.ca and google.com.
What I'm trying to get is gov.ab.ca and google.com.
I've played with a number of regex tools online and they seem to aggressively match the gov.ab.ca. In splunk it seems that ? after ((ab|bc|mb|nb|nf|nl|ns|nt|nu|on|pe|qc|sk|yk).) acts more like +? based on the regular expression documentation I've come across online.
Is there something I can do to get the behavior I'm looking for?
... View more