All Apps and Add-ons

How do I make a part of a field lowercase at index-time?

Path Finder

Hello Splunk users,

I run Splunk for Postfix, and I have a props.conf containing

EXTRACT-message_id = message-id\=\<(?<message_id>[^\>]*)\>
EXTRACT-Message_Id = Message-ID\:\s*\<(?<message_id>[^\>]*)\>

I index log lines like these:

2015-11-18T15:20:46.250700+01:00 host postfix/smtpd[10067]: 3p15sB1mdLzFpW3: client=my.example.org[10.10.10.168]
2015-11-18T15:21:14.704192+01:00 host postfix/cleanup[10000]: 3p15sB1mdLzFpW3: message-id=<dskjfsdlkfjslkDFDFSF@gMail.coM>
2015-11-18T15:21:15.073639+01:00 host postfix/qmgr[11106]: 3p15sB1mdLzFpW3: from=<postmaster@example.org>, size=313, nrcpt=1 (queue active)
2015-11-18T15:21:16.032231+01:00 host postfix/lmtp[10177]: 3p15sB1mdLzFpW3: to=<me@example.org>, relay=127.0.0.1[127.0.0.1]:20024, delay=43, delays=42/0/0.04/0.91, dsn=2.6.0, status=sent (250 2.6.0 <me@example.org> Message accepted for delivery)
2015-11-18T15:21:16.032538+01:00 host postfix/qmgr[11106]: 3p15sB1mdLzFpW3: removed
2015-11-18T15:21:16.020006+01:00 host amavis[10103]: (10103-07) Passed SPAMMY {RelayedTaggedInbound}, [127.0.0.1] [10.10.10.168] <postmaster@example.org> -> <me@example.org>, Message-ID: <dskjfsdlkfjslkDFDFSF@gmail.com>, mail_id: wFMEnpSkkuTV, Hits: 6.078, size: 1391, queued_as: 3p15sl74zczFpW4, 426 ms

As you can see, the process Amavis lowercases the domain part of Message-Id ('dskjfsdlkfjslkDFDFSF@gMail.coM' became 'dskjfsdlkfjslkDFDFSF@gmail.com'). This is a problem when I run transaction on message_id.

I don't care about case on domain part of Message-Id, so I would like to lowercase the domain part of message_id field at index-time. I have modified my props.conf as follow (like already suggested in similar answers):

EXTRACT-message_id = message-id\=\<(?<message_id>[^\>]*)\>
EXTRACT-Message_Id = Message-ID\:\s*\<(?<message_id>[^\>]*)\>
SEDCMD-message_id = s/\(@[A-Za-z0-9\.]*\)/\L\1/g
SEDCMD-Message_Id = s/\(@[A-Za-z0-9\.]*\)/\L\1/g

and I have restarted Splunk.
Unfortunately, this doesn't work. Domain part of Message-Id is not lowercased, but sed linux command line works:

# echo 'dskjfsdlkfjslkDFDFSF@gMail.coM' | sed 's/\(@[A-Za-z0-9\.]*\)/\L\1/g'
dskjfsdlkfjslkDFDFSF@gmail.com

Could you tell me how to do this with Splunk? I'm sure I have misunderstood something.
Thank you very much

Best Regards
Marco

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi sistemistiposta,

I'm unsure if it's possible to force a lower-case standard during index-time, however you can use "eval lower()" to force your field values into lower case before running a transaction. For example..

... | eval messageid=lower(messageid)

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi sistemistiposta,

I'm unsure if it's possible to force a lower-case standard during index-time, however you can use "eval lower()" to force your field values into lower case before running a transaction. For example..

... | eval messageid=lower(messageid)

View solution in original post

0 Karma