Hi everybody!
We are using the following field extraction, in compliance with CIM(1):
^\<\d+\>(?:.+\d+:\d+:\d+)\s+(?<dvc>\w+)\s+(?<process>[a-z]+)\[(?<process_number>\d+)\]:\s+(?<process_id>[^\|]+)\|(?<internal_message_id>[^\|]+)\|(?<message_info>\w+[^\|])?\|?(?<x1>[^\|]+)?\|?(?<x2>[^\|]+)?\|?(?<x3>[^\|]+)?\|?(?<xn>[^$|\s]+.*)?$
We define the fields like ´{field}=value´ and we always use subsearch to find something :
sourcetype=smg IRCPTACTION
[search sourcetype=smg *gmail.com | stats count by internal_message_id| table internal_message_id]
| eval {message_info}=x1, audit_id=internal_message_id
| transaction audit_id maxpause=15min
We tried another regex, but it doesn't have all fields like SPF, DKIM and DMARC.
1 https://docs.splunk.com/Documentation/CIM/4.15.0/User/Email
2 http://alec.dhuse.com/wp/2016/09/
... View more