Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract multiple file names from email attachm...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract multiple file names from email attachments
Trying to extract all email attachments file names. I am no good with Rex/Regex, so I used the automatic extraction in Splunk... However, the extraction is only pulling the first file name, never anything after.
In Splunk on the Extraction/Transfor, field I got
(?=[^"](?:"filename":|"."filename":))^[^/\n]*/\w+",\s+"\w+":\s+"(?P[^"]+)
Need to know what to add in order for it to loop through for each attachment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry all, completely forgot about it. Still an issue, but I don't have time to deal with it at this point. If I can delete the question, I will.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you please share sample logs? Also, if your rex is working fine then can you try adding max_match = 0 after the rex which will help you in looping through each attachment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You need to provide us a sample of your logs. One suggestion - your regex is probably not working. You need to write your own regex and not depend on extract from splunk web, If you do provide us a some samples we can surely help you on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share some sample log entries. You probably need to user Field transform in order to capture multiple values (creating multivalued field).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@biers04 - is this still an issue? If so, please post some non-confidential samples of the events you are trying to extract. When you post the data, or when you post code, please be sure to mark it with the code button (101 010) or surround it with grave accents (the ones on the tilde key ~), or put at least four spaces before each line, so that the interface will not treat html-like data as html or xml code.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
