- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to generate a regular expression to extract th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help me with regular expression in search to pick
hello2017@gmail.com from _raw event below
<string>hello2017@gmail.com</string>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"
OR better
your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your base search | rex "(?[\w\d.-_]+\@[\w\d.-_]+)"
If you feel some other special character would be there on email ID or dmail field, add them along with "\w\d.-_" inside [] in both places
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's three answers to your question. Look for the section of the regex that has an @ in the middle of it, and look right and left until you find the edge of the part that is getting the email.
https://answers.splunk.com/answers/310664/regex-to-extract-multiple-email-addresses-in-splun.html
https://answers.splunk.com/answers/426212/how-to-extract-only-unique-email-ids-from-a-detail.html
https://answers.splunk.com/answers/170066/how-to-write-regex-to-extract-multiple-email-addre.html
Once you have something you think will work for your stuff, test it over at regex101.com.
Finally, try this in splunk with YOUR version of the regex until it works for your data.
| makeresults
| eval myvalue="<string>hello2017@gmail.com</string>"
| rex field=myvalue "(?<myemail>.*@.*)"
The results of what I put above are not exactly correct, but the code will run enough that you can fix it by putting your working regex in the last line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"
OR better
your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was gonna make him work for it, since even a cursory google found several easy answers on answer.splunk.com.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is nothing 100% 🙂 , but as per this site which can reach 99.99% pattern is
([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)
Full example below
|makeresults | eval _raw="<string>hello2017@gmail.co.uk</string>" | rex field=_raw "(?<emailaddr>[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)"| table _raw, emailaddr
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
