Hi,
I am looking for some help on how to remove the malformed expression error coming from the query below, many thanks for your time:
index="test" Policies=policy1 Destination=*@*
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)"
| search Comp [| inputlookup test.csv | fields suspicious]
| table ref Comp date_month
The test.csv has 'app' permissions and |inputlookup test.csv shows the data from the csv.
The rex command works without the search (it extracts domains from email addresses)
Job inspector has a comment of
info : No matching fields exist
Job search has this line:
WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.
↧