https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333005#M99035 <P>Hello,</P> <P>I cannot figure out the syntax of the rex function. I have a field called email with multiple domains: <A href="mailto:katz.r@blah.com">katz.r@blah.com</A> <A href="mailto:example@blahblah.com">example@blahblah.com</A>. I need to create a new field where just katz.r and example are returned- so it is cut off at the @ sign. I cannot figure out the syntax of rex to write it and the split function keeps both the values: katz.r and blah.com-which is not what I want. I also tried rtim but I that isn't working for a field- just a given string. </P> <P>Thanks for the help!</P> Tue, 12 Sep 2017 17:24:44 GMT katzr 2017-09-12T17:24:44Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333005#M99035 <P>Hello,</P> <P>I cannot figure out the syntax of the rex function. I have a field called email with multiple domains: <A href="mailto:katz.r@blah.com">katz.r@blah.com</A> <A href="mailto:example@blahblah.com">example@blahblah.com</A>. I need to create a new field where just katz.r and example are returned- so it is cut off at the @ sign. I cannot figure out the syntax of rex to write it and the split function keeps both the values: katz.r and blah.com-which is not what I want. I also tried rtim but I that isn't working for a field- just a given string. </P> <P>Thanks for the help!</P> Tue, 12 Sep 2017 17:24:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333005#M99035 katzr 2017-09-12T17:24:44Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333006#M99036 <P>Hi<BR /> why do you want to use regex?<BR /> try using makemv and mvexpand, something like this<BR /> index=_internal | head 1| eval IP="<A href="mailto:katz.r@blah.com">katz.r@blah.com</A> <A href="mailto:example@blahblah.com">example@blahblah.com</A>" | makemv IP | mvexpand IP | table IP<BR /> Bye.<BR /> Giuseppe</P> Tue, 12 Sep 2017 17:34:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333006#M99036 gcusello 2017-09-12T17:34:50Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333007#M99037 <P>I need to perform this action for the whole field email- not just those example strings</P> Tue, 12 Sep 2017 17:38:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333007#M99037 katzr 2017-09-12T17:38:11Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333008#M99038 <P>Could you share an example to extract fields?<BR /> Bye.<BR /> Giuseppe</P> Tue, 12 Sep 2017 17:47:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333008#M99038 gcusello 2017-09-12T17:47:53Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333009#M99039 <P>The field is called email and contains values of a typical email. And I want a new field that just includes the portion of the email string before the @. </P> <P>So <A href="mailto:katz.r@blahblah.com">katz.r@blahblah.com</A> is a value in the field Email. And I want just katz.r in a new field. </P> Tue, 12 Sep 2017 17:51:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333009#M99039 katzr 2017-09-12T17:51:13Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333010#M99040 <P>Thanks for help!</P> Tue, 12 Sep 2017 17:51:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333010#M99040 katzr 2017-09-12T17:51:23Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333011#M99041 <PRE><CODE>| makeresults | eval email="anybody@mail.com" | rex field=email "^(?&lt;firstPart&gt;.*)@" | table email, firstPart </CODE></PRE> <P>I am assuming your events have a field called 'email' with just one value per event, but across events there are multiple values.<BR /> If your email field contains multiple email addresses in each event, the approach would be different. So please clarify, if this is not what you need.</P> Tue, 12 Sep 2017 18:11:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333011#M99041 s2_splunk 2017-09-12T18:11:23Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333012#M99042 <P>So if you just want to isolate the username from the domain in the <CODE>email</CODE> field into a new field (I'm using <CODE>user</CODE>), you can do that something like this:</P> <PRE><CODE>... | eval user=email | rex field=user mode=sed "s/@\S+//g" </CODE></PRE> Tue, 12 Sep 2017 18:42:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333012#M99042 cpetterborg 2017-09-12T18:42:21Z https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333013#M99043 <P>@katzr, Similar question was asked a day before... <A href="https://answers.splunk.com/answers/569242/having-difficulties-at-search-trying-to-use-sed-to.html">https://answers.splunk.com/answers/569242/having-difficulties-at-search-trying-to-use-sed-to.html</A>. @cpetterborg, with accepted answer to that question, has already answered here with his accepted answer using <CODE>sed</CODE>, following is rex on similar lines but without sed:</P> <PRE><CODE> | makeresults | eval _raw="user@domain.com" | rex "(?&lt;user&gt;[^@]+)@" </CODE></PRE> Tue, 12 Sep 2017 19:03:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Trim-string-at-need-help-creating-rex-search/m-p/333013#M99043 niketn 2017-09-12T19:03:46Z