I have a log line that looks like the following:
2014-11-28 19:28:42 smx02 postfix/smtp: 6F7471C73AC479133AF: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.13, delays=0.01/0/0/0.12, dsn=2.0.0, status=sent (250 OK, sent 5479133A6994127931 8E560172844_479133AB)
I want to use regex to create 4 new fields.
Field1 - 6F7471C73AC479133AF (number/letter combinations)
Field2 - 5479133A6994127931 (number/letter combinations)
Field3 - 8E560172844_479133AB (number/letter combinations)
Field 4 - 57736 (Always number)
I know I can use the rex field=FIELDNAME command, but I can't seem to get the syntax to work.
Is there anyone that can point me in the right direction or give me some times on how to create these fields. I really just want to understand the Splunk syntax.
For problems like this, RegExr is a great tool. Using it and your sample event, I came up with this.
rex "\[(?<Field4>\d+)]:\s+(?<Field1>\S+):[\s\S]+?, sent (?<Field2>\S+) (?<Field3>\S+)"
how to extract this field