I have URL's that contain email addresses that I would like to extract via rex into an email field:
SAMPLE RAW:
You may want to add other characters like - and _ to the regex. This is primitive and just catching the word and . characters on either side of the @ and assumes your url is delimited with other special chars like = from your examples
| makeresults | eval foo="macplatform.wondershare.com/interface.php?m=co&client_sign={CD1AABB2-586E-55A5-A891-877563550973}∏uct_id=735&version=10.3.2&email=Christopher.Nobody@somedomain.com⟨=en_us&type=0&cc=92445606E83D64D283AD3A5EF2A9869E∫erface_version=1.1 link.defensenews.com/manage/5ba/preferences-center?email=moe.nobody@domain.org www2.criver.com/form/checkEmailAjax/account_id/60962/form_field_id/129003/tracker_id/278458707/field_id/60962_129003pi_60962_129003?param=Edward.Nobody2@some.com login.yahoo.com/account/comm-channel/refresh?display=login&.intl=us∫l=us&.lang=en-US&src=finance&.src=finance&login=kimberly.nobody@somewhere.gov&tn=arinfo_review&context=spreg_cc&. www.borisfx.com/BCCAVXActivation.php?UPID=MCHITNB-ADRELHQ-OSJZBFU-VYIQAAM&email=ronald.nobody@blahbl... www.idevmail.net/unsubscribe.aspx?d=94&m=1319&e=jill.nobody2@domain.net"; | makemv foo delim=" " | mvexpand foo | rex field=foo "(?<email>[\w\.]+@[\w\.]+)" | table foo email
Are you asking for the community to write the regex for you? I'm not sure exactly what your question is. What have you tried so far?
Yes I am new to splunk and I'm not sure how to write this regex...I tried extracting a new field with the tool, but it didn't always work.
