Solved: Re: How to index email values without special char...

andresito123 · ‎06-14-2016

Hello to the community!

I have an email field with values following this pattern: <example@example.com>

Is there any way to remove the special characters < and > and index the value as example@example.com?

Thanks!

Raghav2384 · ‎06-14-2016

Hello,

Several ways to do it. Please check this accepted answer

https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html

Also, you could achieve something similar with SEDCMD. PLease see the props.conf

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Syntax:
- replace - s/regex/replacement/flags
  - regex is a perl regular expression (optionally containing capturing groups).
  - replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit.
  - flags can be either: g to replace all matches, or a number to replace a specified match.
- substitute - y/string1/string2/
  - substitutes the string1[i] with string2[i]

simple example: SEDCMD-hash = "s/this/that/g"

Make sure it doesn't conflict with other <> in the same log.

Hope this helps!

Thanks,
Raghav

View solution in original post

woodcock · ‎06-14-2016

Like this:

... | rex field=MyEmailFieldName mode=sed "s/[<>]//g"

andresito123 · ‎06-14-2016

This works, but I want it to have in indexing time. I don't want the special characters to show up and need to map it on CIM so as Enterprise Security will correlate this info as an email without < and >.

woodcock · ‎06-14-2016

Then use SEDCMD (with the same sed string without the quotes)"

http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Anonymizedatausingconfigurationfiles

Raghav2384 · ‎06-14-2016

Hello,

Several ways to do it. Please check this accepted answer

https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html

Also, you could achieve something similar with SEDCMD. PLease see the props.conf

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Syntax:
- replace - s/regex/replacement/flags
  - regex is a perl regular expression (optionally containing capturing groups).
  - replacement is a string to replace the regex match. Use \n for back references, where "n" is a single digit.
  - flags can be either: g to replace all matches, or a number to replace a specified match.
- substitute - y/string1/string2/
  - substitutes the string1[i] with string2[i]

simple example: SEDCMD-hash = "s/this/that/g"

Make sure it doesn't conflict with other <> in the same log.

Hope this helps!

Thanks,
Raghav

andresito123 · ‎06-14-2016

I have put in my /opt/splunk/etc/system/local/props.conf the following:

[mysourcetype]
SEDCMD-stripEmail = "s/[<>]//g"

But it seems that the emails are indexed as: <example@example.com>.

Any ideas?

Raghav2384 · ‎06-14-2016

Try without quotes

[mysourcetype]
SEDCMD-stripemail=s/[<>]//g as @woodcock stated

Hope this helps!

Thanks,
Raghav

ppablo · ‎06-14-2016

Hi @andresito123

I think the pattern you were trying to show didn't render properly. I would edit your question and re-paste your sample pattern, but be sure to use the text editing tools. Highlight your code, then click on the "Code Sample" button for it to display.

andresito123 · ‎06-14-2016

Fixed with an edit!

How to index email values without special characters?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!