Archive
Highlighted

How to extract a part of a field?

Explorer

Hey,

i have got a field extraction called mail. So i get different kind of mails as output.

But it appears the following problem: All the mail adresses have a "." at the end and i want to remove the ".".

For example: "xy.z@yahoo.com." shall be "xy.z@yahoo.com"

I tried to solve the problem by extracting the expression without the "." but it won't work.

|rex field=mail "(?<mail>[\s]+)-."

Thanks for your help!

Tags (1)
0 Karma
Highlighted

Re: How to extract a part of a field?

SplunkTrust
SplunkTrust

Try this

| rex field=mail "(?P<mail>[^\s]+)\."

Let me know if it helps!

View solution in original post

0 Karma
Highlighted

Re: How to extract a part of a field?

Explorer

It works. Thanks very much 🙂

0 Karma
Highlighted

Re: How to extract a part of a field?

Communicator

If you really want to change the field with a Splunk search, then try the following:

| eval mail=substr(mail,0,len(mail)-1)

However, I think the better approach is to improve the actual field extraction. Can you provide the field extraction under Settings/Fields/Field extractions?

0 Karma