Look this link: https://regex101.com/r/kR0iS8/1 Do you prefer stats against transaction? And about events out of window time? are you aware of this information? "All events in a summary index have stash as their default source type. If you use a command like collect to change their source type to anything other than stash, you will incur license usage charges for those events". ... View more

Hi. Did you create the summary index? which query did you use ... View more

Hi everybody! We are using the following field extraction, in compliance with CIM(1): ^\<\d+\>(?:.+\d+:\d+:\d+)\s+(?<dvc>\w+)\s+(?<process>[a-z]+)\[(?<process_number>\d+)\]:\s+(?<process_id>[^\|]+)\|(?<internal_message_id>[^\|]+)\|(?<message_info>\w+[^\|])?\|?(?<x1>[^\|]+)?\|?(?<x2>[^\|]+)?\|?(?<x3>[^\|]+)?\|?(?<xn>[^$|\s]+.*)?$ We define the fields like ´{field}=value´ and we always use subsearch to find something : sourcetype=smg IRCPTACTION [search sourcetype=smg *gmail.com | stats count by internal_message_id| table internal_message_id] | eval {message_info}=x1, audit_id=internal_message_id | transaction audit_id maxpause=15min We tried another regex, but it doesn't have all fields like SPF, DKIM and DMARC. 1 https://docs.splunk.com/Documentation/CIM/4.15.0/User/Email 2 http://alec.dhuse.com/wp/2016/09/ ... View more