Solved: Extract domain part of list of emails addresses.

dhabbal · ‎06-07-2018

Hi,

My results are a bunch of email address, I want to display them in table grouped by their domains.

What's the best way to achieve this?

Thanks!

gcusello · ‎06-07-2018

Hi dhabbal,
if your emails are in a field called "email", you could run a search like this:

index=my_index
| rex field=email "\@(?<domain>[^ ]*)"
| stats dc(email) AS num_email BY domain

in this way you have the count of different emails in your logs.

If in addition you want also the name of your emails, you could run:

index=my_index
| rex field=email "\@(?<domain>[^ ]*)"
| stats values(email) AS email dc(email) AS num_email BY domain

If at least, you want the number of emails ordered by domain, you could run:

index=my_index
| stats count BY email
| rex field=email "\@(?<domain>[^ ]*)"
| sort domain
| table domain email count

Bye.
Giuseppe

gcusello · ‎06-07-2018

Hi dhabbal,
if your emails are in a field called "email", you could run a search like this:

index=my_index
| rex field=email "\@(?<domain>[^ ]*)"
| stats dc(email) AS num_email BY domain

in this way you have the count of different emails in your logs.

If in addition you want also the name of your emails, you could run:

index=my_index
| rex field=email "\@(?<domain>[^ ]*)"
| stats values(email) AS email dc(email) AS num_email BY domain

If at least, you want the number of emails ordered by domain, you could run:

index=my_index
| stats count BY email
| rex field=email "\@(?<domain>[^ ]*)"
| sort domain
| table domain email count

Bye.
Giuseppe

dineshraj9 · ‎06-07-2018

Can you post a sample event?

Extract domain part of list of emails addresses.