topic Re: How do you extract user names from a field that contains an email address? in Splunk Search

How do you extract user names from a field that contains an email address?

PanIrosha — Tue, 30 Oct 2018 13:22:53 GMT

Hi Experts,

I have a data field called "userId" (FirstName.LastName@DomainName) in one of my data sources. Is there a way to create a new field called "user" just by extracting the "FirstName.LastName" part from the "userId" field ?

Thank you in advance

Re: How do you extract user names from a field that contains an email address?

renjith_nair — Tue, 30 Oct 2018 13:47:23 GMT

@PanIrosha,
Try

your search|rex field=userId "(?<user>\w+\.\w+)"

In case your names contain digits and - (hyphen) then use,

your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"

Re: How do you extract user names from a field that contains an email address?

PanIrosha — Tue, 30 Oct 2018 15:08:44 GMT

Hi Renjith,

Thank you very much for the quick response. will you be able to tell me how to create the field adding this this please ? i am quite new to splunk

Thank you 🙂

Re: How do you extract user names from a field that contains an email address?

renjith_nair — Tue, 30 Oct 2018 16:15:07 GMT

@PanIrosha,
the user field will be created as its used in the named group. Run the below example to check

| makeresults |eval userId="FirstName.LastName@abc.com" |rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"

Re: How do you extract user names from a field that contains an email address?

PanIrosha — Wed, 31 Oct 2018 09:21:24 GMT

Hi @renjith.nair

the regex worked fine in my search. apparently , we have few few naming conventions. some are just firstname@domain.com. can you help me to create a regex that detect "everything" before @ sign ?

Thank you very much.

Re: How do you extract user names from a field that contains an email address?

renjith_nair — Wed, 31 Oct 2018 11:25:21 GMT

@PanIrosha,

Ok, try this and upvote if it worked 🙂

|rex field=userId "(?<user>.+?(?=@))"

Re: How do you extract user names from a field that contains an email address?

PanIrosha — Tue, 29 Sep 2020 21:47:08 GMT

@renjith.nair

wow. that work like a charm. thank you very much. this regex work fine when i run in the search bar. i can see the field getting extracted. but how can i save this extraction permanently ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?<user>.+?(?=@))"

App Permission: Global

in the search bar, i can get the extracted field when i search with index name

index=asa | rex field=userId "(?<user>.+?(?=@))"

but it doesn't return any results when i search with the sourcetype, source or host.

any idea wht might be the reason ?

Thank you very much Renjith.

NOTE: i am using your exact regex command given in your answers.

Regards
Irosha

Re: How do you extract user names from a field that contains an email address?

renjith_nair — Wed, 31 Oct 2018 11:53:59 GMT

@PanIrosha ,

Hi Irosha,

Since the search works fine with index=, then the field extraction is working.

If you haven't given any index name in the search, there is a property in the user role called Indexes searched by default which will be looked against to find out the indexes the search should consider by default. Unless you change that property , by default it has only main index. You can change that by Settings -> Access controls » Roles » "your role name" and scroll down to find Indexes searched by default

Re: How do you extract user names from a field that contains an email address?

PanIrosha — Tue, 29 Sep 2020 21:47:11 GMT

@renjith.nair

thank you for the prompt response. did i use the correct way to create the field extraction ? is there anything need to be added ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?.+?(?=@))"

App Permission: Global

Thank you very much.