Solved: How would I use eval with a wildcard to create a c...

the_wolverine · ‎09-25-2014

I have many email addresses that I want to lump by domain. How do I use eval to do this?

the_wolverine · ‎09-25-2014

index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain

(% is the wildcard)

There are many ways to do this so I hope other folks add their examples.

View solution in original post

mikaelbje · ‎09-25-2014

For completeness here's another way to achieve this:

index=* address=* | eval x=split(address, "@") | eval domain=mvindex(x,1)

Not sure which solution is faster though

sk314 · ‎09-25-2014

You could also use rex on your email address field to capture domain in a separate field. This way you do not have to list out all possible domain cases in an eval statement.

For example:

index=<your index> sourcetype=<your sourcetype> | rex field=<email_address_field> "\w+@(?<domain>\w+)\.\w+" | ...

This captures your domains in a separate field (domain). Hope this helps.

the_wolverine · ‎09-25-2014

index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain

(% is the wildcard)

There are many ways to do this so I hope other folks add their examples.

How would I use eval with a wildcard to create a combined value?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life