Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex not giving right results

Ankush_Kumar
New Member
‎03-30-2020 09:24 AM

Hi Community members.

I need your help to identify where I am doing wrong in regex field extraction.

Actually there are email logs which contains data like:-

sender=abc@ibn.com message_id= xxxxxxx@ibn.com _time=13:24:23:445
sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344
sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233

I wrote regex to extract data after @ to see what domains are there in message_id field and wrote regex on website "https://regex101.com/" is working but in Splunk I am not getting expected output where Splunk returning full message_id data means xxxx@ibn.com and not ibn.com

Wrote Query:

index=email_logs earliest=-30m | regex message_id="(?<=@).+" | stats count by message_id

Current Splunk Output is:-
xxxxxxx@ibn.com
yyyyy@xyz.com
uuuuu@tbc.com

Required output under message_id should be:-

ibn.com
xyz.com
tbc.com

0 Karma
Reply

vnravikumar
Champion
‎03-30-2020 07:46 PM

Hi

Try this

index=email_logs earliest=-30m 
| eval domain=mvindex(split(message_id,"@"),-1) 
| stats count BY domain
0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2020 04:10 PM

There are a few problems, not the least of which is confusion between rex and regex commands; try this:

index=email_logs earliest=-30m
| rex field=message_id "\@(?<message_domain>\S+)
| stats count BY message_domain
0 Karma
Reply

to4kawa
Ultra Champion
‎03-30-2020 10:44 AM 
index=email_logs earliest=-30m 
| rex "message_id=.*@(?<message_id>\S+)" 
| stats count by message_id

How about this?

0 Karma
Reply

jpolvino
Builder
‎03-30-2020 10:40 AM

If you're looking to TRANSFORM your existing message_id field so that everything up to and including the @ (at-symbol) gets thrown away, then try this:

| makeresults | eval raw2=split("sender=abc@ibn.com message_id=xxxxxxx@ibn.com _time=13:24:23:445,sender=xyz@xyz.com message_id=yyyyy@xyz.com _time=12:34:13:1344,sender=utr@tbc.com message_id=uuuuu@tbc.com _time=12:12:53:1233",",") | mvexpand raw2 | eval _raw=raw2 | extract | fields - _raw raw2
| rex mode=sed field=message_id "s/.*@(.*)/\1/g"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2020 09:37 AM

The regex command filters events. It doesn't extract fields or modify data. For that, you need rex. Try this:

index=email_logs earliest=-30m | regex message_id="(?<=@).+" | reg field=message_id mode=sed "s/@.*//" | stats count by message_id
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...