Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearch results not matching special characters

SplunkNewbie18
New Member
‎11-07-2019 06:37 AM

Hi,

I'm trying to match email events which may consists of alphabets, numbers and special characters and do a count of the sender. However, those subjects with special characters (i.e. @, ", :, ]) is not picked up although its matching the subsearch condition. Anyone has any idea how to go about matching all character instances? Thanks!

index="A" sourcetype="A1" 
| search 
    [| search index="A" sourcetype="A1" subjects="[xxx]*" 
    | rex field=subjects "((?:\[.*\]\s+)(?<NewEmailSubject>(?:.*)))" 
    | eval subjects=NewEmailSubject
    | eval recipient=sender 
    | table subjects, recipient] 
  | stats values(subject) as subjects count by sender    
  | table sender, subjects, count
0 Karma
Reply

darrenfuller
Contributor
‎11-07-2019 09:18 AM

can you give a sample or two of data that is failing?

0 Karma
Reply

SplunkNewbie18
New Member
‎11-07-2019 09:33 PM

Oh sure! Some subjects sample:
1. Email Received @hotmail
2. [Hi!] FYA: 'Free' Ticket

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top