https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218543#M64227 <P>Try something like this</P> <PRE><CODE>your base search | eval sender_domain=mvindex(split(sender,"@"),-1) ..... </CODE></PRE> <P>OR </P> <PRE><CODE>your base search | rex field=sender ".*@(?&lt;sender_domain&gt;.*)" </CODE></PRE> Fri, 08 Jan 2016 19:38:20 GMT somesoni2 2016-01-08T19:38:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218542#M64226 <P>Hi,</P> <P>I am really new to Splunk and Regular Expression stuff. I was planning to extract just the domain names of all e-mail senders in my SMTP Log. For example, If the sender field value is <CODE>store_news @amazon.com</CODE>, then I just want to extract the domain name which is <CODE>amazon.com</CODE>. Can somebody please provide me a way to perform this?</P> <P>Thanks<BR /> Appreciated</P> Fri, 08 Jan 2016 19:28:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218542#M64226 jspvkey 2016-01-08T19:28:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218543#M64227 <P>Try something like this</P> <PRE><CODE>your base search | eval sender_domain=mvindex(split(sender,"@"),-1) ..... </CODE></PRE> <P>OR </P> <PRE><CODE>your base search | rex field=sender ".*@(?&lt;sender_domain&gt;.*)" </CODE></PRE> Fri, 08 Jan 2016 19:38:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218543#M64227 somesoni2 2016-01-08T19:38:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218544#M64228 <P>If you are uncomfortable with regular expressions, you can use the Interactive Field Extractor. Documentation here: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX</A> </P> Fri, 08 Jan 2016 19:43:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218544#M64228 jluo_splunk 2016-01-08T19:43:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218545#M64229 <H3>Learn Regex</H3> <H4><A href="http://regexone.com">http://regexone.com</A></H4> <H4><A href="http://www.regular-expressions.info/quickstart.html">http://www.regular-expressions.info/quickstart.html</A></H4> <HR /> <H2>Search answers:</H2> <P><A href="https://answers.splunk.com/answers/338138/how-to-search-for-and-extract-email-ids-with-dot-t.html">https://answers.splunk.com/answers/338138/how-to-search-for-and-extract-email-ids-with-dot-t.html</A><BR /> <A href="https://answers.splunk.com/answers/190126/how-to-extract-only-the-top-level-domain-tld-from.html">https://answers.splunk.com/answers/190126/how-to-extract-only-the-top-level-domain-tld-from.html</A></P> <HR /> <H3>Read about:</H3> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX">field extractor</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">props.conf</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/AboutSplunkregularexpressions">Splunk regular expressions</A></LI> </UL> Fri, 08 Jan 2016 19:43:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218545#M64229 aljohnson_splun 2016-01-08T19:43:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218546#M64230 <P>Here is another one</P> <PRE><CODE>@(?\w+.\w{3}) </CODE></PRE> Sun, 10 Jan 2016 06:08:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218546#M64230 mhassan 2016-01-10T06:08:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218547#M64231 <P>This one won't work for all email addresses...</P> Thu, 14 Jan 2016 23:54:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218547#M64231 lguinn2 2016-01-14T23:54:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218548#M64232 <P>Based on your answer, I used the following to extract the domain part and sort by number of occurrences for the top 20:</P> <PRE><CODE>your base search | eval sender_domain=mvindex(split(sender,"@"),-1) | top limit=20 sender_domain </CODE></PRE> Mon, 30 Sep 2019 08:14:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218548#M64232 thahn 2019-09-30T08:14:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218549#M64233 <P>Agreed, there are top level domains with shorter and longer lengths. Also the dot isn't escaped.</P> Mon, 30 Sep 2019 09:02:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regular-expression-to-extract-the-domain-name/m-p/218549#M64233 martynoconnor 2019-09-30T09:02:40Z