Hi all,
I am looking at using the Proofpoint Protection Server TA for Splunk, and having set it up, I am having some difficulty with field extraction in that the app is not doing what I expect.
2016-08-14T08:00:01.774397+01:00 dc1-pro-prp03 filter_instance1[7090]: rprt s=24sr7mgd5h mod=session cmd=disconnect module= rule= action= helo= msgs=1 rcpts=1 routes=allow_relay,default_inbound,internalnet,outbound duration=0.264 elapsed=0.547
I was hoping that Splunk would extract `s=24sr7mgd5h` as a field named **s** and a value of `24sr7mgd5h`. This would then allow me to run transaction commands and get useful session data from the devices.
I see that this answer https://answers.splunk.com/answers/86461/search-proofpoint-logs.html shows a Splunk user using the **s** field in their transaction. I am wondering if they have done some Splunk magic to make this happen.
I have found that adding the following will give me what I need, but I am hoping to avoid having to have this for all searches:
| extract pairdelim=" ",kvdelim="=\,"
If anyone can help me with their Splunk Ninja skills, I would be very much appreciative!
↧
Proofpoint Protection Server TA for Splunk: How do I get this field extracted from my sample event?
↧