- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearch results not matching special characters
SplunkNewbie18
New Member
11-07-2019
06:37 AM
Hi,
I'm trying to match email events which may consists of alphabets, numbers and special characters and do a count of the sender. However, those subjects with special characters (i.e. @, ", :, ]) is not picked up although its matching the subsearch condition. Anyone has any idea how to go about matching all character instances? Thanks!
index="A" sourcetype="A1"
| search
[| search index="A" sourcetype="A1" subjects="[xxx]*"
| rex field=subjects "((?:\[.*\]\s+)(?<NewEmailSubject>(?:.*)))"
| eval subjects=NewEmailSubject
| eval recipient=sender
| table subjects, recipient]
| stats values(subject) as subjects count by sender
| table sender, subjects, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
darrenfuller
Contributor
11-07-2019
09:18 AM
can you give a sample or two of data that is failing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkNewbie18
New Member
11-07-2019
09:33 PM
Oh sure! Some subjects sample:
1. Email Received @hotmail
2. [Hi!] FYA: 'Free' Ticket
