Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract subject from maillog

dictudatacom
New Member
‎06-29-2012 02:47 AM

Hi, I want to extract the 'subjects' from my SMTP maillog but the regex I have built doesn't seem to work. I have built the same type of regex to extract the FROM en TO fields and that works so I'm puzzled why it doesn't extract the subjects...

Regex looks like this:

(?i) subject <(?P[^>]*)

Can anyone help me out ? Thanks in advance!

Tags (1)
0 Karma
Reply

suepfarrell
New Member
‎08-15-2013 10:54 PM

Thx jstockamp - that didn't quite work. I will give more detail in my own question I think. About to go set one up now.
Thanks

0 Karma
Reply

jstockamp
Communicator
‎08-15-2013 10:04 PM

Your regex should looking something like this.

Subject.'(?.*)'

0 Karma
Reply

suepfarrell
New Member
‎08-15-2013 08:52 PM

Hi

Did you get an answer for this - trying to do this myself. My email subjects differ so I want to table them all

How did you end up extracting the subject lines?

Thanks
Sue

0 Karma
Reply

dictudatacom
New Member
‎07-02-2012 01:55 AM

Hi Ayn, here is a sample of the logfile, I want to extract the subject:

Mon Jul 2 10:20:38 2012 Info: Start MID 62771585 ICID 33896658
Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 From: <*****>
Mon Jul 2 10:20:38 2012 Info: Delivery start DCID 24405838 MID 62771584 to RID [0]
Mon Jul 2 10:20:38 2012 Info: MID 62771585 ICID 33896658 RID 0 To: <*>
Mon Jul 2 10:20:38 2012 Info: MID 62771585 Message-ID '2B2E0EB229A8F44AB8C55D5E296BCFC40C584F@SCOMP0934.wurnet.nl'
Mon Jul 2 10:20:38 2012 Info: MID 62771585 Subject 'FW: Postbus AgroFood vanaf vrijdag 17:00 VOL: opnieuw inzenden!!'
Mon Jul 2 10:20:38 2012 Info: MID 62771585 ready 19724 bytes from <****>
Mon Jul 2 10:20:38 2012 Info: MID 62771585 matched all recipients for per-recipient policy DEFAULT in the outbound table
Mon Jul 2 10:20:38 2012 Info: MID 62771585 interim AV verdict using Sophos CLEAN
Mon Jul 2 10:20:38 2012 Info: MID 62771585 antivirus negative

0 Karma
Reply

jfraiberg
Communicator
‎06-29-2012 06:40 AM

have you tried using the "extract fields" dropdown from one of the events?

0 Karma
Reply

Ayn
Legend
‎06-29-2012 04:30 AM

Please include a log sample. Without it it's hard to build a regex that should match.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...