Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft O365 add-on: How to extract data from emails?

sanju2408de
Explorer
‎03-13-2022 08:03 AM

I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on.

I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOBAL@XYZ.com" and "Fri, Mar 11 2022 15:09:29 GMT+00:00".

I have tried Regex101 site and could successfully test a Regex pattern as below for matching the value for "Requested for" but the same pattern doesn't work in Splunk.

(?i) for\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\w+\-\w+:\w+\-\w+\"\>(?P<Requested_For>\S+)(?=\<\/td)

I need help here to sort this out, please if anyone can share their thoughts here.

Finished</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">Fri, Mar 11 2022 15:09:29 GMT+00:00</td></tr><tr><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:nowrap; font-weight:600; min-width:130px">Requested for</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">ABC.ITGLOBAL@XYZ.com</td></tr><tr><td class=""

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2022 10:58 AM

Try this regex.  It tries to avoid depending on the number of words between groups.

Finished\<\/td>\<[^>]+>(?<Finished>[^\<]+).*?Requested for\<\/td>\<[^\<]+>(?<Requested_For>[^\<]+)

Also, the ?i flag most likely is not needed since the keywords in the data ("Finished" and "Requested for") probably will always be the same. 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2022 10:58 AM

Try this regex.  It tries to avoid depending on the number of words between groups.

Finished\<\/td>\<[^>]+>(?<Finished>[^\<]+).*?Requested for\<\/td>\<[^\<]+>(?<Requested_For>[^\<]+)

Also, the ?i flag most likely is not needed since the keywords in the data ("Finished" and "Requested for") probably will always be the same. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sanju2408de
Explorer
‎03-14-2022 02:23 AM

@richgalloway Thanks so much for your help, this actually worked.

We had few more fields to extract from the same email and i used the same regex patterns as you have provided. It perfectly worked.

 

Many Thanks again for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...