https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66249#M16444 <P>I need to count the number of incoming emails from external and internal sources, and the number going out to internal and external sources. </P> <P>My data has sender_address and recipient_address fields. They look like: "email1@domain.com;email2@domain2.com"</P> <P>I have used regex to extract the domain but I am having trouble extracting the domain for additional email addresses when specified (delimited by <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> <PRE><CODE>index=hubtracking | rex field=sender_address ".[^@]+?@(?&lt;sender_domain&gt;.+)" | rex field=recipient_address ".[^@]+?@(?&lt;recipient_domain&gt;.+)" | stats count as TotalMessages, count(eval(sender_domain="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromInternal, (eval(sender_domain!="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromExternal </CODE></PRE> <P>This kind of works...but the problem is that I'm only counting the first address specified in that field. I imagine that I first need to extract only the domain names, and then count them?</P> Thu, 24 Mar 2011 00:30:33 GMT jamesklassen 2011-03-24T00:30:33Z https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66249#M16444 <P>I need to count the number of incoming emails from external and internal sources, and the number going out to internal and external sources. </P> <P>My data has sender_address and recipient_address fields. They look like: "email1@domain.com;email2@domain2.com"</P> <P>I have used regex to extract the domain but I am having trouble extracting the domain for additional email addresses when specified (delimited by <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> <PRE><CODE>index=hubtracking | rex field=sender_address ".[^@]+?@(?&lt;sender_domain&gt;.+)" | rex field=recipient_address ".[^@]+?@(?&lt;recipient_domain&gt;.+)" | stats count as TotalMessages, count(eval(sender_domain="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromInternal, (eval(sender_domain!="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromExternal </CODE></PRE> <P>This kind of works...but the problem is that I'm only counting the first address specified in that field. I imagine that I first need to extract only the domain names, and then count them?</P> Thu, 24 Mar 2011 00:30:33 GMT https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66249#M16444 jamesklassen 2011-03-24T00:30:33Z https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66250#M16445 <P>I have the regex now, I just need to figure out how to count all of the domains now: rex field=sender_address "[a-zA-Z][\w.-]<EM>[a-zA-Z0-9]@(?<SENDER_DOMAIN>[a-zA-Z0-9][\w.-]</SENDER_DOMAIN></EM>[a-zA-Z0-9].[a-zA-Z][a-zA-Z.]*[a-zA-Z])" | where(name = ";")</P> Mon, 28 Sep 2020 09:26:36 GMT https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66250#M16445 jamesklassen 2020-09-28T09:26:36Z https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66251#M16446 <P>Got it, here's an example for anyone else working to get stats from Exchange 2010 message tracking logs:</P> <PRE><CODE>index=hubtracking NOT SystemMailbox* | dedup message_id | rex field=sender_address "[a-zA-Z][\w\.-]*[a-zA-Z0-9]@(?&lt;sender_domain&gt;[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z])" | rex field=recipient_address "[a-zA-Z][\w\.-]*[a-zA-Z0-9]@(?&lt;recipient_domain&gt;[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z])" | stats sum(recipient_count) as TotalMessages, count(eval(sender_domain="yourdomain.com" AND recipient_domain="yourdomain.com")) as FromInternal </CODE></PRE> Thu, 24 Mar 2011 03:54:23 GMT https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-domain-from-delimited-email-recipients/m-p/66251#M16446 jamesklassen 2011-03-24T03:54:23Z