Hello,
I have 1 field in Splunk which contains 2 short email headers in plain-text, for example:
**From**: Me (me@me.com)
**Sent**: 28 September 2018 17:42
**To**: You (you@you.com)
**Subject**: This is the first email
**From**: Me (me@me.com)
**Sent**: 28 September 2018 18:42
**To**: You-aswell (you-aswell@you.com)
**Subject**: This is the second email
There is more text after the 2 short email headers.
I would like to use Rex to select the 2 Sent times, i.e:
rex field=output "Sent: (?.*)"
rex field=output "Sent: (?.*)"
How do I select in the rex function which match to select? As an FYI, there may be text before the headers so selecting the line number wouldn't be an option.
Thanks,
↧