Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract attachments?

treven
Explorer
‎07-28-2023 06:27 AM

I am attempting to extract attachment fields from our email logs using regex. Attachments like .jpg, .png, pdf, etc. I have gone through the process of using the SPL field extracting feature however it usually results in only one attachment type being selected or another, if I try and select other attachment types the extraction fails. Any suggestions would be greatly appreciated. Thank you. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 08:14 AM

Hi @treven,

maybe this regex could work for you:

| rex "(?<file>\w+\.(jpg|pdf|png))"

that you can test at https://regex101.com/r/ol040L/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

treven
Explorer
‎07-28-2023 08:32 AM

@gcusello 

That did it! Thank you very much for your assistance with this! 

0 Karma
Reply
Solved! Jump to solution

treven
Explorer
‎07-28-2023 08:05 AM
So, I was able to get the field extractor to do both png and jpg but any other selected field results in an error. I suppose I could create separate fields and use eval to somewhat accomplish what I am looking for. 
 
 
Here are some examples: 
 
date=2023-07-28 time=09:00:22.791 device_id=10000 log_id=000123 type=spam subtype=default pri=information  session_id="1138-7644" client_name="" client_ip="1.1.1.1" dst_ip="1.1.1.1" from="email" to="email" subject="TITLE" msg="Antispam identified spam URL: http://website.jpg"



 

date=2023-07-28 time=08:51:25.640 device_id=02222 log_id=00023 type=virus subtype=sandbox pri=information  from="" to="" client_name="" client_ip="" session_id="1000-0322" msg="File file.pdf has been sent to Sandbox"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 08:14 AM

Hi @treven,

maybe this regex could work for you:

| rex "(?<file>\w+\.(jpg|pdf|png))"

that you can test at https://regex101.com/r/ol040L/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

treven
Explorer
‎07-28-2023 08:34 AM

@gcusello ,

 

This worked really well! Thank you very much for your assistance!

0 Karma
Reply
Solved! Jump to solution

treven
Explorer
‎07-28-2023 06:57 AM

Yeah absolutely, I will post it soon. Thanks for your assistance. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 06:33 AM

Hi @treven,

I suppose that you're speaking to extract the file name of the attachment, not the attachment file itself!

Anyway, the field extraction should already be present in the Add-On you're using, if not, please share a sample of your logs, highlighting in bold the data to extract.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

treven
Explorer
‎07-28-2023 06:52 AM

Yes that is correct I am just looking to monitor the various types of attachment types. As I stated in my post, the field extracting feature is only allowing one type of attachment. It will only extract .jpg fields and will ignore pdf or png. If I try to add another by selecting it in an event, I will get an error. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 06:54 AM

Hi @treven,

ok, could you share a sample (in text format) of your logs (eventually masking data)?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...