How do i find out if a field contains part of anot...

sgrierson · ‎09-08-2019

Hello community.

I'm struggling to find emails that have a word in the subject which also have the word in an attachment.

For example:
If an email subject was "X.Y:Z" and then also have an attachment of "Z.doc"

As you see, I need to find an attachment that begins with the word that is the end of the subject.

So if...
Subject="card.parrot:bacon"
Then the attachment would be...
Attachment="bacon.doc"

Would such a thing be possible?

I hope this makes sense.
Thanks for your time.

woodcock · ‎09-08-2019

Like this:

|makeresults
| eval subject = "X.Y:Z", attachment = "Z.doc"
| rex field=subject "(?<stest>\w+$)"
| rex field=attachment "^(?<atest>\w+)"
| where atest == stesta

richgalloway · ‎09-08-2019

There probably are a few ways to do this. Here's one. It uses rex to parse the subject field and extract whatever follows ":" into the Attachment field. Then ".doc" is appended to the field.

... | rex field=Subject ":(?<Attachment>.*)" | eval Attachment = Attachment.".doc"

---
If this reply helps you, Karma would be appreciated.

sgrierson · ‎09-08-2019

Afraid this was showing errors

richgalloway · ‎09-08-2019

What errors?

---
If this reply helps you, Karma would be appreciated.

How do i find out if a field contains part of another field?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...