Solved: dovecot Logs

siemsplunk · ‎07-23-2024

Hello team,

Am working with dovecot logs-- it's a mail logs.

I managed to integrate it with Splunk through syslog.

it gives me the logs in this format (Attached screenshot)

Now, I want to create a new field to have value of to/receiver
From the screenshot the value of to/receiver is in lda(value)

NOTE: on the below screenshot I dont have to/receiver values i just have from/sender and subject

Help me please !

bowesmana · ‎07-24-2024

You can do inline extraction with rex, e.g.

| rex "lda\((?<to>[^\)]*)\)"

which will extract a new field called to from the portion between the brackets

You can also set this up as a field extraction - see Fields->Field Extractions and create a new field extraction there using the regex above and then, if lda(xxx) exists in your data, you will get a field called to

View solution in original post

bowesmana · ‎07-24-2024

You can do inline extraction with rex, e.g.

| rex "lda\((?<to>[^\)]*)\)"

which will extract a new field called to from the portion between the brackets

You can also set this up as a field extraction - see Fields->Field Extractions and create a new field extraction there using the regex above and then, if lda(xxx) exists in your data, you will get a field called to

dovecot Logs

configuration

troubleshooting

using Splunk Enterprise

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?