All Apps and Add-ons

Update regex in transforms.conf for extract_recipient_domain & extract_src_user_domain

colinjb
New Member

All, 

I am currently working with Splunk Add-on for Microsoft Office 365.  The default regex in transforms.conf for extract_src_user_domain and extract_recipient_domain will only extract the last two parts of an email domain, resulting in domains like bank.co.in returning as co.in 

Current
[extract_src_user_domain]
SOURCE_KEY = ExchangeMetaData.From
REGEX = (?<SrcUserDomain>[a-zA-Z]*\.[a-zA-Z]*$)

[extract_recipient_domain]
SOURCE_KEY = ExchangeMetaData.To{}
REGEX = (?<RecipientDomain>[a-zA-Z]*\.[a-zA-Z]*$)
MV_ADD = true

Suggest updating it to be inline with messagetrace rex
[extract_messagetrace_src_user_domain]
SOURCE_KEY = SenderAddress
REGEX = @(?<src_user_domain>\S*)

[extract_messagetrace_recipient_domain]
SOURCE_KEY = RecipientAddress
REGEX = @(?<recipient_domain>\S*)

Thanks, 
0 Karma

Meett
Splunk Employee
Splunk Employee

Agree with @richgalloway This should be highlighted to Support as its Splunk Supported Add-on.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That is a Splunk-supported app so the best way to report a failure like this is to file a case with Splunk Support.

If you do not have a support entitlement, submit it at https://ideas.splunk.com.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...