I'm trying to filter down a list of internal email addresses at search time in a field called "email." They are all the same internal mail domain in the format of user@domain.com . I want to truncate them down to everything before the @ sign (so just user instead of user@domain.com ) I've been trying to use a rex sed mode command to do this unsuccessfully. My plan is to replace everything from the at sign to the end of the field with "" to truncate the line. When I attempt to search and replace the @ sign, it never even pulls any data. However if I search and replace anything else like "domain" it works fine. For example, given the email address me@domain.com the following works:
rex mode=sed field=Email "s/\"domain/""/g"
The result is me.com . Does Splunk rex sed mode somehow treat the @ sign as some sort of special character or ? I've tried escaping it in numerous ways without success. rex mode=sed field=Email "s/\"@/""/g" just kills the search right away saying there is no data. I am open to other ways to truncate a field as well.
To change the field value to just the username
, you can use this:
| makeresults
| eval email="user@domain.com"
| rex field=email mode=sed "s/@.*//"
To change the field value to just the username
, you can use this:
| makeresults
| eval email="user@domain.com"
| rex field=email mode=sed "s/@.*//"
Hey, Jinx!
This works like a treat. In my example that worked (rex mode=sed field=Email "s/\"domain/""/g") the "" was the replace value I was using to replace it with a null or nothing. It looks like your example "s/@.*//g" more or less omits the item to replace it with to do the same thing. I would have never thought of that.
Thanks!
You beat me.
It's now who takes the answer to the dance, it's who goes home with the points!
I shared! Oh, let me up vote your answer, then it will be even. 🙂
I tricked him into giving you the points by UpVoting
your answer and now you have undone all of my hard work!
Your answer is better anyway. I didn't need to have the g
on the end of the rex
.
I like adding an extra g
or 2 to the end.
- Gregg "the extra g
says no -ory
" Woodcock
What extra g
?
Editing my answers now are we?
I needed another one: Gregg G. Woodcock. The G
is for generous
(if you laughed, maybe you know Sanford and Son
).
Yeah, I'm plenty old enough for Sanford and Son
- "Oh,... my heart!"
Well, as. long as the G
went to a G
ood cause. 🙂
Actually, the G
is really for Good cause
but I couldn't find any place to steal a C
.
Hey, you're not supposed to post until I write @cpetterborg
. OOPS, I just did!
Like this:
... | rex mode=sed field=Email "s/@.*//"
If you just want to extract user name from email, you can try the following rex
command. sed mode does not seem absolutely necessary for me (PS: first two pipes just create a mock email address as per the question):
| makeresults
| eval _raw="user@domain.com"
| rex "(?<user>[^@]+)@"