I'm trying to filter down a list of internal email addresses at search time in a field called "email." They are all the same internal mail domain in the format of user@domain.com . I want to truncate them down to everything before the @ sign (so just user instead of user@domain.com ) I've been trying to use a rex sed mode command to do this unsuccessfully. My plan is to replace everything from the at sign to the end of the field with "" to truncate the line. When I attempt to search and replace the @ sign, it never even pulls any data. However if I search and replace anything else like "domain" it works fine. For example, given the email address me@domain.com the following works:
rex mode=sed field=Email "s/\"domain/""/g"
The result is me.com . Does Splunk rex sed mode somehow treat the @ sign as some sort of special character or ? I've tried escaping it in numerous ways without success. rex mode=sed field=Email "s/\"@/""/g" just kills the search right away saying there is no data. I am open to other ways to truncate a field as well.
... View more