Hello Splunk Folks !
Currently I am experiencing Splunk as student, and I'm having a hard time with some mail logs, only through log files and not real time forwarders.
I succeeded in separating the groups of lines with a delimiter upon importing data in index in Splunk which is : (From -)
Every "From -" is well separated.
Things gets complicated when i try to do a manual field extraction, with delimited regex, it doesn't allows me to extract interactively from "Required" and "Extracted" infos, things such as "From:", "To", "Subject", "Message-ID:" ...
I even tried the following lines and various methods in search & reporting :
index=* OR index=_* sourcetype=test_bla | rex field=_raw "From: (?<from>.*) Subject: (?<subject>.*)" | table from, subject
I am guessing that I did something bad or maybe there is too much lines that are shown every "From -" which is why it doesn't want to extract the pattern I wish such as "From:" and "To:" and "Subject".
From - Thu Feb 28 18:00:00 2019
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <dmarc@imp.bla.bou>
Received: from lmtpproxyd (podcast [2.2.2.2])
by backend (Cyrus v1.1.1) with LMTPA;
Thu, 08 Feb 2019 19:01:01 +0100
X-Sieve: CMU Sieve 1.1
Received: from podcast.blabla.com (localhost [127.0.0.1])
by podcast (Cyrus v1.1.1) with LMTPA;
Thu, 08 Feb 2019 19:01:01 +0100
Received: from localhost (localhost [127.0.0.1])
by podcast.blabla.com (Postfix) with ESMTP id 22222222222
for <ress@podcast.blabla.com>; Thu, 8 Feb 2019 19:01:01 +0100 (CET)
X-Virus-Scanned: amavisd-new at blabla.blablabla.blablabla.com
Received: from podcast.blabla.com ([127.0.0.1])
by localhost (podcast.blabla.com [127.0.0.1]) (amavisd-new, port 10000)
with ESMTP id 555555555 for <ress@podcast.blabla.com>;
Thu, 8 Feb 2019 19:01:01 +0100 (CET)
Received: from pfilter.bla (unknown [3.3.3.3])
by podcast.blabla.com (Postfix) with ESMTP id 99999999999
for <ress@blabla.blablabla.blablabla.com>; Thu, 8 Feb 2019 19:01:01 +0100 (CET)
Received: from mail.blabla.blablabla.blablabla.com (unknown [12.12.12.12])
by pfilter.bla (Postfix) with ESMTP id 98989898
for <ress@blabla.blablabla.blablabla.com>; Thu, 8 Feb 2019 19:01:01 +0100 (CET)
Received: from mail.blabla.blablabla.blablabla.com (unknown [127.0.0.1])
by localhost (Postfix) with SMTP id 9797979797
for <ress@blabla.blablabla.blablabla.com>; Thu, 8 Feb 2019 19:01:01 +0100 (CET)
Received: from renegade.out.com (renegade.out.com [192.1.1.233])
(using TLSv1.2 with cipher ADH-AES256 (256/256 bits))
(No client certificate requested)
by mail.blabla.blablabla.blablabla.com (Postfix) with ESMTPS id 55555555
for <ress@blabla.blablabla.blablabla.com>; Thu, 8 Feb 2019 19:54:47 +0100 (CET)
Received: by renegade.out.com (ESMTP on OUT Domain, from userid 11)
id 6666666; Thu, 8 Feb 2019 19:54:47 +0100 (CET)
From: dmarc@imp.bla.bou
To: ress@blabla.blablabla.blablabla.com
Date: Thu, 8 Feb 2019 19:54:47 +0100 (CET)
Subject: Forward: BLBLBLBLBLBLBLIIIIIIIIIO ..
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=feedback-report;
boundary="renegade.out.com:86868686"
Message-Id: <20190207185447.6666666@renegade.out.com>
X-PMX-SpamDetected: [PMX:8%] Forward: BLBLBLBLBLBLBLIIIIIIIIIO ..
--renegade.out.com:86868686
Content-Type: text/plain
This is an authentication failure report for an email message received from IP
9.9.9.9 on Thu, 8 Feb 2019 19:01:01 +0100 (CET).
--renegade.out.com:86868686
Content-Type: message/feedback-report
Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: out-dmarc; dmarc=fail header.from=blabla.blablabla.blablabla.com
Original-Envelope-Id: 86868686
Original-Mail-From: support@blabla.blablabla.blablabla.com
Source-IP: 9.9.9.9 ([9.9.9.9])
Reported-Domain: blabla.blablabla.blablabla.com
--renegade.out.com:86868686
Content-Type: text/rfc822-headers
Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=9.9.9.9; helo=ouaileu.com; envelope-from=support@blabla.blablabla.blablabla.com; receiver=<UNKNOWN>
X-Greylist: delayed 451 seconds by postgrey-1.36 at white; Thu, 08 Feb 2019 19:01:01 CET
Received: by ouaileu.com (Postfix, from userid 33)
id 76767676762; Thu, 8 Feb 2019 18:47:18 +0000 (UTC)
To: edward.brass@out.com
Subject: BLBLBLBLBLBLBLIIIIIIIIIO ..
X-PHP-Originating-Script: 0:x.php
Date: Thu, 8 Feb 2019 18:47:18 +0000
From: "blabla.blablabla.blablabla.com" <support@blabla.blablabla.blablabla.com>
Message-ID: <7668576454764684574rfege@9.9.9.9>
X-Mailer: Leaf PHPMailer 2.7 (leafmailer.pw)
MIME-Version: 1.0
Content-Type: text/html; charset=
Content-Transfer-Encoding: 8bit
--renegade.out.com:86868686--
... View more