Splunk Search

Extract multiple unmapped fields using Regex

Nidd
Path Finder

Hi,

I have the following log from which I need to extract 2 fields:

 

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com] [4223TD-E3DE-2345-8E59-1-YDHGC]   Validation failed.Invalid. Response JSON {"emailAddress":"mynewemail","statusReason":"failed_syntax_check","domain":"","processedAt":"2020-11-16 20:52:30 GMT-0700 (MST)","cache":false,"account":"","status":"invalid"}

 


I need to show the below values as 2 different fields in a table:

  • my email@yahoo.com as Email1
  • mynewemail as Email2

Was not able to fetch Email1 field. Tried to fetch the Email2 field as below. But that didnt work either.

 

^(?:[^<\n]*<){2}\s+"\{"\w+":"(?P<emailAddress>[^"]+)

 

 

Please extend your help.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(\[[^\[]+){2}\[(?<email1>[^\]]+).*emailAddress\":\"(?<email2>[^\"]+)"

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd, try this:

 

| rex "\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/1

Ciao.

Giuseppe

0 Karma

Nidd
Path Finder

Thank you @gcusello for the reply.

When trying to bring these fields in a table, the email2 field was perfect. But the email1 field came out like:

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

Nidd
Path Finder

Thank you very much @gcusello . That worked !!!

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...