Re: I want to extract an email ID using regex

DataOrg · ‎12-12-2017

The service with id No.[sana.hello@fajfa.com] is not found in header
The service with id No.[eddadat@wifiad.net.au] is not found in header

cpetterborg · ‎12-13-2017

If you need to change the data before it is indexed, then you can use something similar to the following in your props.conf file:

[your-source-type]
SEDCMD-anonemail = s/(No\.\s*\[)[^\]+/\1#####@#####/

If your data actually differs some from your example data, you may have to adjust, but this regex will result in an obfuscated email address inside the square brackets.

harsmarvania57 · ‎12-13-2017

Hi @premranjithj,

Please use regex with sed mode | rex mode=sed "s/(.*)\[(.*)\]/\1[#####]/g"

Based on sample data I have created below query (First 3 lines are used to generate dummy data)

| makeresults 
| eval _raw="The service with id No.[sana.hello@fajfa.com] is not found in hdaher"
| append [ | makeresults | eval _raw="The service with id No.[eddadat@wifiad.net.au] is not found in headder"]
| rex mode=sed "s/(.*)\[(.*)\]/\1[#####]/g"

which is giving below output

The service with id No.[#####] is not found in hdaher
The service with id No.[#####] is not found in headder

EDIT: If you don't want to mask email ID and you want to remove it totally then use regex | rex mode=sed "s/(.*)\[(.*)\]/\1/g"

Sample query:

| makeresults 
| eval _raw="The service with id No.[sana.hello@fajfa.com] is not found in hdaher"
| append [ | makeresults | eval _raw="The service with id No.[eddadat@wifiad.net.au] is not found in headder"]
| rex mode=sed "s/(.*)\[(.*)\]/\1/g"

Which gives output as below

The service with id No. is not found in hdaher
The service with id No. is not found in headder

I hope this helps.

Thanks,
Harshil

I want to extract an email ID using regex

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability