Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I ignore additional data from a field

iMarko
Engager
‎02-24-2022 03:42 PM

Hi, I'm writing a splunk query to find emails with specific file types attached

I have the regex working which pulls the files and also extracts the file extensions which I'll be using for data collection purposes later. I will then use this extracted file extension to search and return specific emails containing files with said extension (hope that makes sense)

The problem is that when I use

|where FileExtension=".doc"

I get events returned where it contains a .doc file which is fine. But it also shows all the other files attached which I do not want.

For example I want my output to be

senderrecipientfile.doc

 

But what I am getting is 

senderrecipient

file.doc

file.a

file.b

file.c

file.d

 

Is there any way to do some kind of exclusive search that will ignore the extra data in the file field that are not .doc's as they are of no interest to me at the moment?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-24-2022 08:01 PM

Hey @iMarko,

You can try using the mvexpand function as below and then filter from the fileExtension field. I believe the third column is a file name and the extension is being extracted in another field for which you have written the where condition. Please find the reference query below

| mvexpand fileName
| where FileEntension=".doc"

 

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-24-2022 08:01 PM

Hey @iMarko,

You can try using the mvexpand function as below and then filter from the fileExtension field. I believe the third column is a file name and the extension is being extracted in another field for which you have written the where condition. Please find the reference query below

| mvexpand fileName
| where FileEntension=".doc"

 

---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

iMarko
Engager
‎02-25-2022 12:39 AM

Hi thanks for your help, this nearly worked but it did get me 99% of the solution I needed.

I had to mvexpand both my Files and Extension fields and then use search instead of where. So just in case anyone comes across this while searching online (I spent a good while searching before posting) here was the solution:

| rex field=filenameandurl "(?<Files>mess of regex)"  -- to get a list of all files in the email
| rex field=Files "(?<Extension>mess of regex)"  -- to get just the file extensions (for counting purposes)
| mvexpand Extension
| mvexpand Files
| search Extension=".doc" AND Files="*.doc"

which worked perfectly

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...