topic Re: How to write a Regex to capture the Path(\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF)? in Splunk Search

How to write a Regex to capture the Path(\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF)?

biswa2112 — Mon, 22 Aug 2022 19:14:09 GMT

I want to capture the Path (\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF) . I am using below regex Subject\W\s(?<Subject>.*) and

rex "Path\W\s(?<Path>\W.*)"

But these are not working . It is not capturing the path while for subject it is capturing many more lines which are not required .

Someone please help

PH0PR07MB8510A5DC1014429F3B411EB1E39B9@PH0PR07MB8510.namprd07.prod.outlook.com>
IsRecord: false
ParentFolder: { [-]
Id: LgAAAACYR3ou5YLkQLdwhKR5o0aGAQDzGy/hF08sRpmozaW+A2HqAAAAdHcNAAAB
Path: \Απεσταλμένα
}
SizeInBytes: 180998
Subject: TYPICAL MAIN SHELF
}
LogonType: 0
LogonUserSid: S-1-5-21-2050334910-350505970-4048673702-5100548
MailboxGuid: 967cf2f1-6b52-4e79-bf98-1hnfj55667
MailboxOwnerSid: S-1-5-21-2050334910-350505970-499886553

Re: How to write a Regex to capture the Path(\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF)?

bowesmana — Mon, 22 Aug 2022 23:36:52 GMT

It depends on what the data really looks like - the .* part of the Subject capture will capture everything up to a line terminator. You data _implies_ that the text is on multiple lines, but it looks like you've pasted that from a JSON viewer, which is interpreting your data - particularly as there are no visible quotes, which would be expected in JSON.

Can you show the RAW field rather than this formatted one.

The .* capture part of the field may probably be better written as

[^\"]*

i.e. capture up to a terminating quotation character. However, it also may be that the JSON can be parsed directly with spath - depending on what fields are extracted