Hello All,
From a search in Splunk I get this output from the _raw field:
(I have modified a bit the output for privace)
_raw
Oct 27 18:03:25 index-name-here postfix/smtp[xxxx]: 00000000000: to=xxx@xxx.com, relay=xxx.com[x.x.x.x]:xx, delay=0.00, delays=0.00/0.00/0.0/0.00, dsn=0.0.0, status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (in reply to RCPT TO command))
I need to extract this info from the raw data:
status=bounced (host xxx.com[x.x.x.x] said: 550 No Such User Here" (some-text-here))
How can I do that using a rex expression on the search?
Thank you!
... View more