Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data extraction for msexchange subject field?

priya1926
Path Finder
‎03-28-2023 06:05 AM

Hi Team,

 

I need a rex command to extract subject field from the event _raw.. Currently i am splitting the fields with comma(,) and extracting the fields based on Index number.
The above scenario is success for 80 % of data but it fails to extract for rest because
 subject contains comma within the subject itself which is causing the subject to split into two different fields.

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-28-2023 08:56 AM

Please share some sample events.

---
If this reply helps you, Karma would be appreciated.
Reply

priya1926
Path Finder
‎03-28-2023 09:16 AM

examples of subject

 "RE:This is about subject, field"

 RE,This is about subject field 1

[internal] "RE:This is about subject field"

 "RE:This is about subject field 1,2,3

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 09:27 AM

This doesn't look like a raw event (just the subject field?) - please share the full raw event in a code block </>

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2023 08:55 AM

Please share some anonymised events in a code block </> to preserve formatting.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...