I got couple of log entries like below
2015-02-04 09:40:06,373 INFO Sending email. subject="Test e-mail from Splunk Alert", results_link="httpabc?sid=scheduler_searchRMD5d85a9270819de479_at_1423060800_190943", ***recipients="['a.b@abc.com', 'cd@abc.com']"*
host=DEV01 Options| sourcetype=splunk_python Options| source=/apps/splunk02/splunk/var/log/splunk/python.log Options| log_level=INFO Options| date_year=2015 Options| sid=scheduler_x450986search_RMD5d85a9270819de479_at_1423060800_190943 Options**
2015-02-03 09:40:06,373 INFO Sending email. subject="Test e-mail from Splunk Alert", results_link="httpabc?sid=scheduler_search_RMD5d85a9270819de479_at_1423060800_190943", ***recipients="['a.b@abc.com', 'cd@abc.com','mk@abc.com']"*
host=DEV01 Options| sourcetype=splunk_python Options| source=/apps/splunk02/splunk/var/log/splunk/python.log Options| log_level=INFO Options| date_year=2015 Options| sid=scheduler_search_RMD5d85a9270819de478_at_1423060800_190943 Options**
I want to create a recipient multivalue field which will be containg email addresses
Give this a spin:
index=_internal source="/opt/splunk/var/log/splunk/python.log"
| rex max_match=0 field=recipients "u'(?<recipient_list>[^']+)"
| stats values(recipient_list) as Recipients count by subject
| sort - count
| addtotals col=t row=f
I'm on Splunk 6.x, so my recipients field looks like this:
recipients="[u'userx@uci.edu', u'usery@uci.edu', u'userz@uci.edu']",
If you are on 6.x then my search should work perfectly for you. But if you are on an older version of Splunk, you may have a different log format. For the example you showed us above, there is no u
in front of the single-quoted recipient's email address. If that is still the case, just remove the u
so the rex line looks like this:
| rex max_match=0 field=recipients "'(?<recipient_list>[^']+)"
Be sure to vote this up if it works for you! 🙂
Oh, and the max_match=0
makes the number of matches unlimited, so it recurses, creating a multivalued field called recipient_list. max_match
has the default setting of 1 unless you change it.
Something like this:
* | head 1 | eval recipients="['a.b@abc.com','cd@abc.com','mk@abc.com']" | rex field=recipients "(?<data>[a-z\.@\,\s']+)" | makemv delim="," data
I do proper field extraction in my props.