https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87167#M22289 <P>Hi Ayn, here is a sample of the logfile, I want to extract the subject:</P> <P>Mon Jul 2 10:20:38 2012 Info: Start MID 62771585 ICID 33896658<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 From: &lt;*****<STRONG><EM>&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: Delivery start DCID 24405838 MID 62771584 to RID [0]<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 RID 0 To: &lt;</EM></STRONG>*<STRONG><EM>&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 Message-ID '<A href="mailto:2B2E0EB229A8F44AB8C55D5E296BCFC40C584F@SCOMP0934.wurnet.nl">2B2E0EB229A8F44AB8C55D5E296BCFC40C584F@SCOMP0934.wurnet.nl</A>'<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 Subject 'FW: Postbus AgroFood vanaf vrijdag 17:00 VOL: opnieuw inzenden!!'<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ready 19724 bytes from &lt;</EM></STRONG>****&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 matched all recipients for per-recipient policy DEFAULT in the outbound table<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 interim AV verdict using Sophos CLEAN<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 antivirus negative </P> Mon, 02 Jul 2012 08:55:03 GMT dictudatacom 2012-07-02T08:55:03Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87164#M22286 <P>Hi, I want to extract the 'subjects' from my SMTP maillog but the regex I have built doesn't seem to work. I have built the same type of regex to extract the FROM en TO fields and that works so I'm puzzled why it doesn't extract the subjects...</P> <P>Regex looks like this:</P> <P>(?i) subject &lt;(?P<ONDERWERP>[^&gt;]*)</ONDERWERP></P> <P>Can anyone help me out ? Thanks in advance!</P> Fri, 29 Jun 2012 09:47:05 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87164#M22286 dictudatacom 2012-06-29T09:47:05Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87165#M22287 <P>Please include a log sample. Without it it's hard to build a regex that should match.</P> Fri, 29 Jun 2012 11:30:32 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87165#M22287 Ayn 2012-06-29T11:30:32Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87166#M22288 <P>have you tried using the "extract fields" dropdown from one of the events? </P> Fri, 29 Jun 2012 13:40:08 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87166#M22288 jfraiberg 2012-06-29T13:40:08Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87167#M22289 <P>Hi Ayn, here is a sample of the logfile, I want to extract the subject:</P> <P>Mon Jul 2 10:20:38 2012 Info: Start MID 62771585 ICID 33896658<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 From: &lt;*****<STRONG><EM>&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: Delivery start DCID 24405838 MID 62771584 to RID [0]<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 RID 0 To: &lt;</EM></STRONG>*<STRONG><EM>&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 Message-ID '<A href="mailto:2B2E0EB229A8F44AB8C55D5E296BCFC40C584F@SCOMP0934.wurnet.nl">2B2E0EB229A8F44AB8C55D5E296BCFC40C584F@SCOMP0934.wurnet.nl</A>'<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 Subject 'FW: Postbus AgroFood vanaf vrijdag 17:00 VOL: opnieuw inzenden!!'<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 ready 19724 bytes from &lt;</EM></STRONG>****&gt;<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 matched all recipients for per-recipient policy DEFAULT in the outbound table<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 interim AV verdict using Sophos CLEAN<BR /> Mon Jul 2 10:20:38 2012 Info: MID 62771585 antivirus negative </P> Mon, 02 Jul 2012 08:55:03 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87167#M22289 dictudatacom 2012-07-02T08:55:03Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87168#M22290 <P>Hi</P> <P>Did you get an answer for this - trying to do this myself. My email subjects differ so I want to table them all </P> <P>How did you end up extracting the subject lines?</P> <P>Thanks<BR /> Sue</P> Fri, 16 Aug 2013 03:52:31 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87168#M22290 suepfarrell 2013-08-16T03:52:31Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87169#M22291 <P>Your regex should looking something like this.</P> <P>Subject.'(?<SUBJECT>.*)'</SUBJECT></P> Fri, 16 Aug 2013 05:04:20 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87169#M22291 jstockamp 2013-08-16T05:04:20Z https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87170#M22292 <P>Thx jstockamp - that didn't quite work. I will give more detail in my own question I think. About to go set one up now.<BR /> Thanks</P> Fri, 16 Aug 2013 05:54:21 GMT https://community.splunk.com/t5/Splunk-Search/extract-subject-from-maillog/m-p/87170#M22292 suepfarrell 2013-08-16T05:54:21Z