Solved: Trying to get the domain from multiple email recip...

Dallastek · ‎01-22-2018

sourcetype=mysource | rex field=shared_with "(?P[A-Za-z0-9]+.[a-zA-Z]+)$"

emails going to several different recipients and domains (google, yahoo, msn etc.)
When I use this I get 1 result but not of the others. Someone recommended using a sed command to strip everything before the @ however I can seem to get it to work.

gokadroid · ‎01-22-2018

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

View solution in original post

gokadroid · ‎01-22-2018

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

micahkemp · ‎01-22-2018

Slight variation to your 2nd rex:

| rex max_match=0 field=shared_with "(^|, )(?<name>[^@ ]+)@(?<domain>[^,]+)(,|$)"

Prevents getting , as a prefix to name.

Dallastek · ‎01-23-2018

Thanks gokadroid, I made a couple of adjustments and it is working great, thanks!
index=mine shared_with=@
| rex max_match=0 field=shared_with "(^|, )(?[^@ ]+)@(?[^,]+)(,|$)" | table name, domain

gokadroid · ‎01-23-2018

Awesome...happy to have helped.

Dallastek · ‎01-22-2018

Jan 22 20:06:12 ttjtsxj00 syslog[0233]: - - [Shirlene@2024 activity_type="Share" created_timestamp="2012-00-00D20:02:04" from_detect="0" inserted_timestamp="2012-00-00D20:02:09" instance="L006f51sf" object_type="File" service="secure" severity="informational" shared_with="mark@diohnasypmxzjic.com, bart@diohnasypmxzjic.com, arat@toshiko.com, ken.smith@toshiko.com, eva.@one.toshiko.com, randal@toshiko.com, libby@wh.toshiko.com, azzie.hailey@one.toshiko.com, amy@diohnasypmxzjic.com, loretta.mark@one.toshiko.com, zenaida@one.toshiko.com, cherrie@diohnasypmxzjic.com, marcy@diohnasypmxzjic.com, genny@diohnasypmxzjic.com" source="KAY" user="natalya.h.lisabeth@toshiko.com"] User shared Deandrea document

domain and user data has been randomized

elliotproebstel · ‎01-22-2018

Based on your sample code above, I'm guessing you have a field called shared_with, and each instance of the field contains just a single email address. If so, this should work for you:

sourcetype=mysource
| rex field="shared_with" "@(?<domain>.*)$"

It just looks for the @ in the field and captures everything after it into a new field called domain.

horsefez · ‎01-22-2018

Could you provide some sample data please.

Trying to get the domain from multiple email recipients using rex

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life