Reporting

Regex on comments

andres91302
Communicator

Hello guys is there a way to make Splunk classify an email based on a word?

I want all emails that contain the word "hospital" OR the word "Care" (no matter if it is uppercase or not) to be clasify as "Important" the rest as "Not important"

Kind of like this:

EmailClass
"Hello I need a hospital bed"Important
"Hello I can I have a quote?"Not important

 

The field in which email is stored may contain strings, values, and start by literally anything... is there a way to do this here?  thank you so much guys


Labels (1)
0 Karma
1 Solution

tscroggins
Influencer

@andres91302 

How you do this depends on where you want the Class field to live.

To set Class at search time using SPL:

| eval Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

To set Class at search time using props.conf:

[my_sourcetype]
EVAL-Class = if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

This assumes your mail log has a source type named my_sourcetype. Replace this with the name of your source type.

To set Class at index time using props.conf, transforms.conf, and fields.conf:

# props.conf
[my_sourcetype]
TRANSFORMS = my_sourcetype-Class

# transforms.conf
[my_sourcetype-Class]
INGEST_EVAL = Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

# fields.conf
[Class]
INDEXED = true

For search time extractions, props.conf would be copied to your search head.

For index time extractions, props.conf and transforms.conf would be copied to your heavy forwarder or indexer and fields.conf would be copied to your search head.

The benefit to index time extraction is including the value of Class in the time series index of the bucket; however, you can achieve similar performance at search time by including search terms:

```Important```
sourcetype=my_sourcetype (hospital OR care)
| eval Class="Important"

```Not important```
sourcetype=my_sourcetype NOT (hospital OR care)
| eval Class="Not important"

Your preferred solution depends on your use cases.

For reference, I tested all options using the following dummy events:

Sat May 29 23:37:00 EDT 2021 Hello I need a hospital bed.
Sat May 29 23:38:00 EDT 2021 Hello I have a problem with access to care.
Sat May 29 23:39:00 EDT 2021 Hello I can I have a quote?
Sat May 29 23:40:00 EDT 2021 Hi can you help me find a provider?
Sat May 29 23:41:00 EDT 2021 Hello I have a question about a claim.

(It sounds like you're with a provider. I have a payer background....)

View solution in original post

tscroggins
Influencer

@andres91302 

How you do this depends on where you want the Class field to live.

To set Class at search time using SPL:

| eval Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

To set Class at search time using props.conf:

[my_sourcetype]
EVAL-Class = if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

This assumes your mail log has a source type named my_sourcetype. Replace this with the name of your source type.

To set Class at index time using props.conf, transforms.conf, and fields.conf:

# props.conf
[my_sourcetype]
TRANSFORMS = my_sourcetype-Class

# transforms.conf
[my_sourcetype-Class]
INGEST_EVAL = Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

# fields.conf
[Class]
INDEXED = true

For search time extractions, props.conf would be copied to your search head.

For index time extractions, props.conf and transforms.conf would be copied to your heavy forwarder or indexer and fields.conf would be copied to your search head.

The benefit to index time extraction is including the value of Class in the time series index of the bucket; however, you can achieve similar performance at search time by including search terms:

```Important```
sourcetype=my_sourcetype (hospital OR care)
| eval Class="Important"

```Not important```
sourcetype=my_sourcetype NOT (hospital OR care)
| eval Class="Not important"

Your preferred solution depends on your use cases.

For reference, I tested all options using the following dummy events:

Sat May 29 23:37:00 EDT 2021 Hello I need a hospital bed.
Sat May 29 23:38:00 EDT 2021 Hello I have a problem with access to care.
Sat May 29 23:39:00 EDT 2021 Hello I can I have a quote?
Sat May 29 23:40:00 EDT 2021 Hi can you help me find a provider?
Sat May 29 23:41:00 EDT 2021 Hello I have a question about a claim.

(It sounds like you're with a provider. I have a payer background....)

andres91302
Communicator

@tscroggins Thats was fking awesome! what a legend thank you so much!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...