Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract email addresses from URLs using regex?

dsmeerkat
Explorer
‎05-01-2019 09:44 AM

I have URL's that contain email addresses that I would like to extract via rex into an email field:

SAMPLE RAW:

macplatform.wondershare.com/interface.php?m=co&client_sign={CD1AABB2-586E-55A5-A891-877563550973}&product_id=735&version=10.3.2&email=Christopher.Nobody@somedomain.com&lang=en_us&type=0&cc=92445606E83D64D283AD3A5EF2A9869E&interface_version=1.1

link.defensenews.com/manage/5ba/preferences-center?email=moe.nobody@domain.org

www2.criver.com/form/checkEmailAjax/account_id/60962/form_field_id/129003/tracker_id/278458707/field_id/60962_129003pi_60962_129003?param=Edward.Nobody2@some.com

login.yahoo.com/account/comm-channel/refresh?display=login&.intl=us&intl=us&.lang=en-US&src=finance&.src=finance&login=kimberly.nobody@somewhere.gov&tn=arinfo_review&context=spreg_cc&.

www.borisfx.com/BCCAVXActivation.php?UPID=MCHITNB-ADRELHQ-OSJZBFU-VYIQAAM&email=ronald.nobody@blahbl...

www.idevmail.net/unsubscribe.aspx?d=94&m=1319&e=jill.nobody2@domain.net

0 Karma
Reply

anthonymelita
Contributor
‎05-01-2019 10:12 AM

You may want to add other characters like - and _ to the regex. This is primitive and just catching the word and . characters on either side of the @ and assumes your url is delimited with other special chars like = from your examples

| makeresults
| eval foo="macplatform.wondershare.com/interface.php?m=co&client_sign={CD1AABB2-586E-55A5-A891-877563550973}∏uct_id=735&version=10.3.2&email=Christopher.Nobody@somedomain.com⟨=en_us&type=0&cc=92445606E83D64D283AD3A5EF2A9869E∫erface_version=1.1 
link.defensenews.com/manage/5ba/preferences-center?email=moe.nobody@domain.org 
www2.criver.com/form/checkEmailAjax/account_id/60962/form_field_id/129003/tracker_id/278458707/field_id/60962_129003pi_60962_129003?param=Edward.Nobody2@some.com 
login.yahoo.com/account/comm-channel/refresh?display=login&.intl=us∫l=us&.lang=en-US&src=finance&.src=finance&login=kimberly.nobody@somewhere.gov&tn=arinfo_review&context=spreg_cc&. 
www.borisfx.com/BCCAVXActivation.php?UPID=MCHITNB-ADRELHQ-OSJZBFU-VYIQAAM&email=ronald.nobody@blahbl... www.idevmail.net/unsubscribe.aspx?d=94&m=1319&e=jill.nobody2@domain.net";
| makemv foo delim=" "
| mvexpand foo
| rex field=foo "(?<email>[\w\.]+@[\w\.]+)"
| table foo email
0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎05-01-2019 10:07 AM

Are you asking for the community to write the regex for you? I'm not sure exactly what your question is. What have you tried so far?

0 Karma
Reply

dsmeerkat
Explorer
‎05-01-2019 10:12 AM

Yes I am new to splunk and I'm not sure how to write this regex...I tried extracting a new field with the tool, but it didn't always work.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...