How to filter only one email address domain if you...

rodrigvi · ‎09-15-2019

How to filter only one email address domain if you have multiple email address entries, example :
I have more than 1000 gmail.com entries. Only I need to filter "gmail.com" domain in splunk , I don't care about other emails. but I don't want to create a filter with 1000 records each for any gmail.com account.

acb@gmail.com
cde@gmail.com
1234@gmail.com
321@yahoo.com
123@yahoo.com
terra@hotmail.com
z@roo@hotmail.com

Thanks for your help

adonio · ‎09-16-2019

create a new field that matches the domain and search against it ...

form the top of my head:
try this anywhere to see

| makeresults count=1
| eval emails = "acb@gmail.com;;;cde@gmail.com;;;1234@gmail.com;;;321@yahoo.com;;;123@yahoo.com;;;terra@hotmail.com;;;z@roo@hotmail.com"
| makemv delim=";;;" emails
| mvexpand emails
| rex field=emails "\@(?<domain>[^\.]+)"
| search domain=gmail

you might need a better regex for more complex / emails that have the @ in the address itself

How to filter only one email address domain if you have multiple email address entries

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to filter only one email address domain if you have multiple email address entries

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...