topic Re: How to generate a regular expression to extract the email from my _raw event? in Splunk Search

How to generate a regular expression to extract the email from my _raw event?

sravankaripe — Mon, 06 Mar 2017 19:01:02 GMT

Help me with regular expression in search to pick
hello2017@gmail.com from _raw event below

<string>hello2017@gmail.com</string>

Re: How to generate a regular expression to extract the email from my _raw event?

koshyk — Mon, 06 Mar 2017 19:36:24 GMT

There is nothing 100% 🙂 , but as per this site which can reach 99.99% pattern is

([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)

Full example below

|makeresults | eval _raw="<string>hello2017@gmail.co.uk</string>" | rex field=_raw "(?<emailaddr>[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)"| table _raw, emailaddr

Re: How to generate a regular expression to extract the email from my _raw event?

somesoni2 — Mon, 06 Mar 2017 19:36:35 GMT

Try this

your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"

OR better

your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"

Re: How to generate a regular expression to extract the email from my _raw event?

DalJeanis — Mon, 06 Mar 2017 19:38:29 GMT

Here's three answers to your question. Look for the section of the regex that has an @ in the middle of it, and look right and left until you find the edge of the part that is getting the email.

https://answers.splunk.com/answers/310664/regex-to-extract-multiple-email-addresses-in-splun.html
https://answers.splunk.com/answers/426212/how-to-extract-only-unique-email-ids-from-a-detail.html
https://answers.splunk.com/answers/170066/how-to-write-regex-to-extract-multiple-email-addre.html

Once you have something you think will work for your stuff, test it over at regex101.com.

Finally, try this in splunk with YOUR version of the regex until it works for your data.

| makeresults 
| eval myvalue="<string>hello2017@gmail.com</string>" 
| rex field=myvalue "(?<myemail>.*@.*)"

The results of what I put above are not exactly correct, but the code will run enough that you can fix it by putting your working regex in the last line.

Re: How to generate a regular expression to extract the email from my _raw event?

DalJeanis — Mon, 06 Mar 2017 19:40:28 GMT

I was gonna make him work for it, since even a cursory google found several easy answers on answer.splunk.com.

Re: How to generate a regular expression to extract the email from my _raw event?

ckp123 — Tue, 02 Apr 2019 13:27:43 GMT

your base search | rex "(?[\w\d.-_]+\@[\w\d.-_]+)"

If you feel some other special character would be there on email ID or dmail field, add them along with "\w\d.-_" inside [] in both places