Hi Community members.
I need your help to identify where I am doing wrong in regex field extraction.
Actually there are email logs which contains data like:-
sender=abc@ibn.com message_id= xxxxxxx@ibn.com _time=13:24:23:445
sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344
sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233
I wrote regex to extract data after @ to see what domains are there in message_id field and wrote regex on website "https://regex101.com/" is working but in Splunk I am not getting expected output where Splunk returning full message_id data means xxxx@ibn.com and not ibn.com
Wrote Query:
index=email_logs earliest=-30m | regex message_id="(?<=@).+" | stats count by message_id
Current Splunk Output is:-
xxxxxxx@ibn.com
yyyyy@xyz.com
uuuuu@tbc.com
Required output under message_id should be:-
ibn.com
xyz.com
tbc.com
Hi
Try this
index=email_logs earliest=-30m
| eval domain=mvindex(split(message_id,"@"),-1)
| stats count BY domain
There are a few problems, not the least of which is confusion between rex
and regex
commands; try this:
index=email_logs earliest=-30m
| rex field=message_id "\@(?<message_domain>\S+)
| stats count BY message_domain
index=email_logs earliest=-30m
| rex "message_id=.*@(?<message_id>\S+)"
| stats count by message_id
How about this?
If you're looking to TRANSFORM your existing message_id field so that everything up to and including the @
(at-symbol) gets thrown away, then try this:
| makeresults | eval raw2=split("sender=abc@ibn.com message_id=xxxxxxx@ibn.com _time=13:24:23:445,sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344,sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=message_id "s/.*@(.*)/\1/g"
The regex
command filters events. It doesn't extract fields or modify data. For that, you need rex
. Try this:
index=email_logs earliest=-30m | regex message_id="(?<=@).+" | reg field=message_id mode=sed "s/@.*//" | stats count by message_id