https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210446#M41449 <P>Fixed with an edit!</P> Tue, 14 Jun 2016 20:51:43 GMT andresito123 2016-06-14T20:51:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210442#M41445 <P>Hello to the community!</P> <P>I have an email field with values following this pattern: <CODE>&lt;example@example.com&gt;</CODE></P> <P>Is there any way to remove the special characters <CODE>&lt;</CODE> and <CODE>&gt;</CODE> and index the value as <A href="mailto:example@example.com">example@example.com</A>?</P> <P>Thanks!</P> Tue, 14 Jun 2016 19:41:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210442#M41445 andresito123 2016-06-14T19:41:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210443#M41446 <P>Hi @andresito123</P> <P>I think the pattern you were trying to show didn't render properly. I would edit your question and re-paste your sample pattern, but be sure to use the text editing tools. Highlight your code, then click on the "Code Sample" button for it to display. </P> Tue, 14 Jun 2016 19:52:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210443#M41446 ppablo 2016-06-14T19:52:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210444#M41447 <P>Hello,</P> <P>Several ways to do it. Please check this accepted answer</P> <P><A href="https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html">https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html</A></P> <P>Also, you could achieve something similar with SEDCMD. PLease see the props.conf</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf</A></P> <UL> <LI>Syntax: <UL> <LI>replace - s/regex/replacement/flags <UL> <LI>regex is a perl regular expression (optionally containing capturing groups).</LI> <LI>replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit.</LI> <LI>flags can be either: g to replace all matches, or a number to replace a specified match.</LI> </UL></LI> <LI>substitute - y/string1/string2/ <UL> <LI>substitutes the string1[i] with string2[i]</LI> </UL></LI> </UL></LI> </UL> <P>simple example: SEDCMD-hash = "s/this/that/g"</P> <P>Make sure it doesn't conflict with other &lt;&gt; in the same log.</P> <P>Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Tue, 14 Jun 2016 19:57:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210444#M41447 Raghav2384 2016-06-14T19:57:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210445#M41448 <P>Like this:</P> <PRE><CODE>... | rex field=MyEmailFieldName mode=sed "s/[&lt;&gt;]//g" </CODE></PRE> Tue, 14 Jun 2016 20:01:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210445#M41448 woodcock 2016-06-14T20:01:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210446#M41449 <P>Fixed with an edit!</P> Tue, 14 Jun 2016 20:51:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210446#M41449 andresito123 2016-06-14T20:51:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210447#M41450 <P>I have put in my /opt/splunk/etc/system/local/props.conf the following:</P> <PRE><CODE>[mysourcetype] SEDCMD-stripEmail = "s/[&lt;&gt;]//g" </CODE></PRE> <P>But it seems that the emails are indexed as: <CODE>&lt;example@example.com&gt;</CODE>.</P> <P>Any ideas?</P> Tue, 14 Jun 2016 20:52:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210447#M41450 andresito123 2016-06-14T20:52:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210448#M41451 <P>This works, but I want it to have in indexing time. I don't want the special characters to show up and need to map it on CIM so as Enterprise Security will correlate this info as an email without <CODE>&lt; and &gt;</CODE>.</P> Tue, 14 Jun 2016 20:53:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210448#M41451 andresito123 2016-06-14T20:53:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210449#M41452 <P>Then use SEDCMD (with the same sed string without the quotes)"</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Anonymizedatausingconfigurationfiles</A></P> Tue, 14 Jun 2016 21:01:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210449#M41452 woodcock 2016-06-14T21:01:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210450#M41453 <P>Try without quotes</P> <P>[mysourcetype]<BR /> SEDCMD-stripemail=s/[&lt;&gt;]//g as @woodcock stated</P> <P>Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Tue, 14 Jun 2016 21:06:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-email-values-without-special-characters/m-p/210450#M41453 Raghav2384 2016-06-14T21:06:26Z