About iMarko

iMarko · ‎02-25-2022

Hi thanks for your help, this nearly worked but it did get me 99% of the solution I needed. I had to mvexpand both my Files and Extension fields and then use search instead of where. So just in case anyone comes across this while searching online (I spent a good while searching before posting) here was the solution: | rex field=filenameandurl "(?<Files>mess of regex)" -- to get a list of all files in the email | rex field=Files "(?<Extension>mess of regex)" -- to get just the file extensions (for counting purposes) | mvexpand Extension | mvexpand Files | search Extension=".doc" AND Files="*.doc" which worked perfectly

iMarko · ‎02-24-2022

Hi, I'm writing a splunk query to find emails with specific file types attached I have the regex working which pulls the files and also extracts the file extensions which I'll be using for data collection purposes later. I will then use this extracted file extension to search and return specific emails containing files with said extension (hope that makes sense) The problem is that when I use |where FileExtension=".doc" I get events returned where it contains a .doc file which is fine. But it also shows all the other files attached which I do not want. For example I want my output to be sender recipient file.doc But what I am getting is sender recipient file.doc file.a file.b file.c file.d Is there any way to do some kind of exclusive search that will ignore the extra data in the file field that are not .doc's as they are of no interest to me at the moment?

Posts	2
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎02-24-2022

Online Status	Offline
Date Last Visited	‎02-25-2022 11:54 AM

How can I ignore additional data from a field

Re: How can I ignore additional data from a field

How can I ignore additional data from a field