I have an event that I'm trying to extract the Email address between "Forwarding Address: " and ", Verification" The challenge is this event may have multiple Forwarding Addresses listed or none at all. I found a RegEx Testing site that I was able to create the following RegEx expression to match the three forwarding address below "(?<=Forwarding Address: )(.*)(?=,)", but it doesn't work within Splunk.
What is the best way that I can extract an unknown number of Forwarding Addresses for each event? Each Forwarding Address would be on a separate line, as shown below. Ideally, I would like to label any extraction that is between "Forwarding Address: " and "," as "Forwarding_Address". Please let me know if you have any questions and thank you in advance.
User: user1firstname.user1lastname@companydomain.com, Forwarding Addresses: (44/250)
Forwarding Address: user1firstname.user1lastname@domain1.com, Verification Status: accepted (1/3)
Forwarding Address: user2firstname.user2lastname@domain1.com, Verification Status: accepted (2/3)
Forwarding Address: distgroup@domain2.com, Verification Status: accepted (3/3)
... View more