Solved: Re: How would I use eval with a wildcard to create...

the_wolverine · ‎09-25-2014

I have many email addresses that I want to lump by domain. How do I use eval to do this?

the_wolverine · ‎09-25-2014

index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain

(% is the wildcard)

There are many ways to do this so I hope other folks add their examples.

View solution in original post

mikaelbje · ‎09-25-2014

For completeness here's another way to achieve this:

index=* address=* | eval x=split(address, "@") | eval domain=mvindex(x,1)

Not sure which solution is faster though

sk314 · ‎09-25-2014

You could also use rex on your email address field to capture domain in a separate field. This way you do not have to list out all possible domain cases in an eval statement.

For example:

index=<your index> sourcetype=<your sourcetype> | rex field=<email_address_field> "\w+@(?<domain>\w+)\.\w+" | ...

This captures your domains in a separate field (domain). Hope this helps.

the_wolverine · ‎09-25-2014

index=main sourcetype=email address=* | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL") | stats count by domain

(% is the wildcard)

There are many ways to do this so I hope other folks add their examples.

How would I use eval with a wildcard to create a combined value?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?