Update regex in transforms.conf for extract_recipi...

colinjb · ‎11-11-2024

All,

I am currently working with Splunk Add-on for Microsoft Office 365. The default regex in transforms.conf for extract_src_user_domain and extract_recipient_domain will only extract the last two parts of an email domain, resulting in domains like bank.co.in returning as co.in

Current
[extract_src_user_domain]

SOURCE_KEY = ExchangeMetaData.From

REGEX = (?<SrcUserDomain>[a-zA-Z]*\.[a-zA-Z]*$)

[extract_recipient_domain]

SOURCE_KEY = ExchangeMetaData.To{}

REGEX = (?<RecipientDomain>[a-zA-Z]*\.[a-zA-Z]*$)

MV_ADD = true

Suggest updating it to be inline with messagetrace rex

[extract_messagetrace_src_user_domain]

SOURCE_KEY = SenderAddress

REGEX = @(?<src_user_domain>\S*)

[extract_messagetrace_recipient_domain]

SOURCE_KEY = RecipientAddress

REGEX = @(?<recipient_domain>\S*)

Thanks,

Meett · ‎11-12-2024

Agree with @richgalloway This should be highlighted to Support as its Splunk Supported Add-on.

richgalloway · ‎11-11-2024

That is a Splunk-supported app so the best way to report a failure like this is to file a case with Splunk Support.

If you do not have a support entitlement, submit it at https://ideas.splunk.com.

---
If this reply helps you, Karma would be appreciated.

Update regex in transforms.conf for extract_recipient_domain & extract_src_user_domain

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services