topic Re: Regex for extracting email with a trailing whitespace in Splunk Search

Regex for extracting email with a trailing whitespace

nmayafit — Mon, 13 Nov 2017 13:43:17 GMT

Hi,

I have log line according to the next template: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com]

But I want to find users (EMAIL) where the user inserted a whitespace at the start/end of the email: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com ] <- notice the end of the email

Somehow no regex will find it.

Is there something in the splunk admin conf that will trim the whitespace automatically?

Thanks

Re: Regex for extracting email with a trailing whitespace

micahkemp — Mon, 13 Nov 2017 15:55:01 GMT

| rex "(?<email_with_trailing_space>\[EMAIL=[^]]+ \])" | search email_with_trailing_space=*

That will extract the full [EMAIL=...] portion of the log and allow you to search for a space before the closing ].

Re: Regex for extracting email with a trailing whitespace

kamlesh_vaghela — Mon, 13 Nov 2017 15:57:59 GMT

HI,

Can you please try rex? This rex will extract EMAIL ID and blank space (if any)

.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])

You can try below search also.

YOUR_SEARCH
| rex field=_raw.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])
| table _time EMAIL_ID BLANK_SPACE

This search will list you eail_is as well as BLANK Space at ed of email id(if any).

Re: Regex for extracting email with a trailing whitespace

nmayafit — Mon, 13 Nov 2017 16:44:30 GMT

Great catch. REALLY not according to splunk's docs ([\s] etc.)

Re: Regex for extracting email with a trailing whitespace

DalJeanis — Mon, 13 Nov 2017 18:58:51 GMT

This line, in a search, will alter field EMAIL so that all spaces are deleted.

| rex field=EMAIL mode=sed "s/ //g"

You can also sedmode the events at the indexer while you are ingesting them, which alters the underlying _raw data.

SEDCMD-foo s/(\[EMAIL=)(\s*)(\S*)(\s*)(\S*)(\s*)(\])/\1\3\5\7/g