Help me with regular expression in search to pick
hello2017@gmail.com from _raw event below
<string>hello2017@gmail.com</string>
Try this
your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"
OR better
your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"
your base search | rex "(?[\w\d.-_]+\@[\w\d.-_]+)"
If you feel some other special character would be there on email ID or dmail field, add them along with "\w\d.-_" inside [] in both places
Here's three answers to your question. Look for the section of the regex that has an @ in the middle of it, and look right and left until you find the edge of the part that is getting the email.
https://answers.splunk.com/answers/310664/regex-to-extract-multiple-email-addresses-in-splun.html
https://answers.splunk.com/answers/426212/how-to-extract-only-unique-email-ids-from-a-detail.html
https://answers.splunk.com/answers/170066/how-to-write-regex-to-extract-multiple-email-addre.html
Once you have something you think will work for your stuff, test it over at regex101.com.
Finally, try this in splunk with YOUR version of the regex until it works for your data.
| makeresults
| eval myvalue="<string>hello2017@gmail.com</string>"
| rex field=myvalue "(?<myemail>.*@.*)"
The results of what I put above are not exactly correct, but the code will run enough that you can fix it by putting your working regex in the last line.
Try this
your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"
OR better
your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"
I was gonna make him work for it, since even a cursory google found several easy answers on answer.splunk.com.
There is nothing 100% 🙂 , but as per this site which can reach 99.99% pattern is
([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)
Full example below
|makeresults | eval _raw="<string>hello2017@gmail.co.uk</string>" | rex field=_raw "(?<emailaddr>[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)"| table _raw, emailaddr