Hello All,
From a search in Splunk I get this output from the _raw field:
_raw
Oct 27 18:03:25 index-name-here postfix/smtp[xxxx]: 00000000000: to=xxx@xxx.com, relay=xxx.com[x.x.x.x]:xx, delay=0.00, delays=0.00/0.00/0.0/0.00, dsn=0.0.0, status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (in reply to RCPT TO command))
I need to extract this info from the raw data:
status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (some-text-here))
How can I do that using a rex expression on the search?
Thank you!
no, that's default behaviour. no need to specify.
Thanks all for the answers, I will try and let you know.
One last question, don't I have to include this "field=_raw" right after the command rex ?
didn't the rex
above work?
You can grab from status to the end of the line like this:
rex "status\=(?<Status>.*)"
OR just the single word like this:
rex "status\=(?<Status>\w)"
Hello 😃
After status I need to consider the whole value:
status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (in reply to RCPT TO command))
Can I have this in 1 field?
Thank you!
just what do you want to have? all in one field;
...| rex "(?<my_long_field>status=.*)$"
or do you want several smaller pieces?
/K
What after status=bounced does the rex need to consider?