- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Regex not giving right results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex not giving right results
Hi Community members.
I need your help to identify where I am doing wrong in regex field extraction.
Actually there are email logs which contains data like:-
sender=abc@ibn.com message_id= xxxxxxx@ibn.com _time=13:24:23:445
sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344
sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233
I wrote regex to extract data after @ to see what domains are there in message_id field and wrote regex on website "https://regex101.com/" is working but in Splunk I am not getting expected output where Splunk returning full message_id data means xxxx@ibn.com and not ibn.com
Wrote Query:
index=email_logs earliest=-30m | regex message_id="(?<=@).+" | stats count by message_id
Current Splunk Output is:-
xxxxxxx@ibn.com
yyyyy@xyz.com
uuuuu@tbc.com
Required output under message_id should be:-
ibn.com
xyz.com
tbc.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
index=email_logs earliest=-30m
| eval domain=mvindex(split(message_id,"@"),-1)
| stats count BY domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few problems, not the least of which is confusion between rex and regex commands; try this:
index=email_logs earliest=-30m
| rex field=message_id "\@(?<message_domain>\S+)
| stats count BY message_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=email_logs earliest=-30m
| rex "message_id=.*@(?<message_id>\S+)"
| stats count by message_id
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're looking to TRANSFORM your existing message_id field so that everything up to and including the @ (at-symbol) gets thrown away, then try this:
| makeresults | eval raw2=split("sender=abc@ibn.com message_id=xxxxxxx@ibn.com _time=13:24:23:445,sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344,sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=message_id "s/.*@(.*)/\1/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex command filters events. It doesn't extract fields or modify data. For that, you need rex. Try this:
index=email_logs earliest=-30m | regex message_id="(?<=@).+" | reg field=message_id mode=sed "s/@.*//" | stats count by message_id
If this reply helps you, Karma would be appreciated.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
