- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex for normalizing VERP styled e-mail addresses
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
For better bounce handling, we're using VERP styled from-addresses when sending mails through our postfix. So when splunk parses the mail logs, I have values in the from-field like this:
from=<bounce+baAABNQIIAAAAAMAAAARZXNEA@newsletter.domain.com>
Now I'm searching for a regex for search time extraction to remove the VERP id (all after the +).
I tried to use a lookahead ?=, which when matches doesn't get added to the whole mach:
\<(?<realfrom>[a-zA-Z]+(?=\+{1}[a-zA-Z]+)@.*)\>
But this didn't work so far. Any ideas how to get rid of the VERP id?
Thanks Simon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only valid option I can think of is to use the rex command with mode=sed to eliminate this part from the email address:
... | rex field=mail mode=sed "s/\+\w+@/@/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only valid option I can think of is to use the rex command with mode=sed to eliminate this part from the email address:
... | rex field=mail mode=sed "s/\+\w+@/@/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, seems like there's no other possibility.
I also got an answer from support that splunk doesn't replace more than one matching group in transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this:
rex "\<(?<realfrom>\S+)\+\w+@"
I tested this with this search on my system:
* | head 1 | eval blah="from=<bounce+baAABNQIIAAAAAMAAAARZXNEA@newsletter.domain.com>" | rex field=blah "\<(?<realfrom>\S+)\+\w+@" | table blah realfrom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh ok. In that case ziegfried is right, you'll want to use rex in sed mode.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for your answer, but it's important that I get the domain name (newsletter.domain.com) in my match too. Only using the username of the email address for identifying senders is not distinct enough.
Modern way of developing distributed application using OTel
Enterprise Security Content Update (ESCU) | New Releases
Archived Metrics Now Available for APAC and EMEA realms
