Hi,
I have log line according to the next template: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com]
But I want to find users (EMAIL) where the user inserted a whitespace at the start/end of the email: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com ] <- notice the end of the email
Somehow no regex will find it.
Is there something in the splunk admin conf that will trim the whitespace automatically?
Thanks
| rex "(?<email_with_trailing_space>\[EMAIL=[^]]+ \])" | search email_with_trailing_space=*
That will extract the full [EMAIL=...] portion of the log and allow you to search for a space before the closing ].
This line, in a search, will alter field EMAIL so that all spaces are deleted.
| rex field=EMAIL mode=sed "s/ //g"
You can also sedmode the events at the indexer while you are ingesting them, which alters the underlying _raw
data.
SEDCMD-foo s/(\[EMAIL=)(\s*)(\S*)(\s*)(\S*)(\s*)(\])/\1\3\5\7/g
HI,
Can you please try rex? This rex will extract EMAIL ID and blank space (if any)
.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])
You can try below search also.
YOUR_SEARCH
| rex field=_raw.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])
| table _time EMAIL_ID BLANK_SPACE
This search will list you eail_is as well as BLANK Space at ed of email id(if any).
| rex "(?<email_with_trailing_space>\[EMAIL=[^]]+ \])" | search email_with_trailing_space=*
That will extract the full [EMAIL=...] portion of the log and allow you to search for a space before the closing ].
Great catch. REALLY not according to splunk's docs ([\s] etc.)