Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different field value result - props.conf versus rex - using same regular expression

Derek
Path Finder
‎07-02-2010 01:35 PM

I have an event that is coming from a Windows forwarder. When you view the event in the log file on the server it looks like this:

---- log entry made at 07/02/2010 09:15:00
Incoming SMTP call from a.b.c.d at 09:15:00.
Message B021531231236@int2.mydomain.com received at 09:15:00 from mail1.outsidedomain.com (unverified [a.b.c.d]).
Size: 18842 bytes
Return-path: Reports@domainA.com
Recipients: joe.smith@mig.mydomain.com,
Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.

When you search for the event in splunk web it looks the same.

If I use rex in search to get the Return-path using: (?i)\-path: (?P<from>.*) I get the proper values 'Reports@domainA.com', but if I put the regex into props.conf for that field I'm getting 'Reports@domainA.comRecipients: joe.smith@mig.mydomain.com, Incoming SMTP (SSL/TLS) call from a.b.c.d completed at 09:15:00.'

Is it possible for splunk web to be putting a newline in or something like that?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-02-2010 02:46 PM

Change it to:

(?i-s)-path: (?P<from>.*)

or:

(?i)-path: (?P<from>\V*)

\V is "not vertical whitespace character"

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-02-2010 02:46 PM

Change it to:

(?i-s)-path: (?P<from>.*)

or:

(?i)-path: (?P<from>\V*)

\V is "not vertical whitespace character"

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-03-2010 03:54 AM

basically, the difference is that rex apparently has the (?s) option on by default, and props.conf does not. this determines whether . matches newlines. the first example turns off the option, the second makes it irrelevant.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...