Solved: What is the problem with Regex field extraction wi...

MOberschelp · ‎02-06-2019

Hi everyone,

I have data from Cisco ESA similar to this two examples:

> Feb  6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

and

> Feb  6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: Spam. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

Sometimes the "Suspected Domain" part is not a part of the data.

I want to add a field extraction for the "Threat Category" value (in this case "Spam") .

Can anyone help me out with this? I tried the field extraction in Splunk, but Splunk can't handle both types (with a , or . after the Category "Spam")

Regards,
Maik

renjith_nair · ‎02-06-2019

@MOberschelp ,

UPDATED: to include special chars

"Threat Category:\s(?<Threat_Category>.+?)[,\.]"

Try

"Threat Category:\s(?<Threat_Category>\w+)"

OR

If you want to add . or ,

"Threat Category:\s(?<Threat_Category>\w+)[,\.]"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎02-06-2019

@MOberschelp ,

UPDATED: to include special chars

"Threat Category:\s(?<Threat_Category>.+?)[,\.]"

Try

"Threat Category:\s(?<Threat_Category>\w+)"

OR

If you want to add . or ,

"Threat Category:\s(?<Threat_Category>\w+)[,\.]"

---
What goes around comes around. If it helps, hit it with Karma 🙂

MOberschelp · ‎02-06-2019

Thanks for the quick reply. This worked fine for my example.
But now I've seen that not all values are detected.

@this example the regex doesn't work:
Feb 6 10:29:56 10.1.1.152 Feb 06 10:29:45 Splunk: Info: MID 6000770 SDR: Consolidated Sender Reputation: Poor, Threat Category: N/A, Suspected Domain(s) : mail1@host.com, mailhost3.com. Youngest Domain Age: 1 year 8 months 15 days for domain: email@domain.com

I think here is the "/" @ "N/A" the problem.
Any hints for this?
Tried my best @ regex101.com but regular expressions are my weakness... 😉

renjith_nair · ‎02-06-2019

@MOberschelp ,
I was about to ask you about whether the category is always a string 🙂 . Try

Threat Category:\s(?<Threat_Category>.+?)[,\.]

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎02-06-2019

Or if you have only "/" in the list of special characters, then below also should work

"Threat Category:\s(?<Threat_Category>[\w\/]+)[,\.]"

---
What goes around comes around. If it helps, hit it with Karma 🙂

MOberschelp · ‎02-06-2019

Great! That just works perfect!
Thank you very much!

What is the problem with Regex field extraction with "OR"

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

What is the problem with Regex field extraction with "OR"

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability