Splunk Search

Having difficulties at search trying to use sed to find and replace a @ (at sign)

splunk_newb
Explorer

I'm trying to filter down a list of internal email addresses at search time in a field called "email." They are all the same internal mail domain in the format of user@domain.com . I want to truncate them down to everything before the @ sign (so just user instead of user@domain.com ) I've been trying to use a rex sed mode command to do this unsuccessfully. My plan is to replace everything from the at sign to the end of the field with "" to truncate the line. When I attempt to search and replace the @ sign, it never even pulls any data. However if I search and replace anything else like "domain" it works fine. For example, given the email address me@domain.com the following works:

rex mode=sed field=Email "s/\"domain/""/g"

The result is me.com . Does Splunk rex sed mode somehow treat the @ sign as some sort of special character or ? I've tried escaping it in numerous ways without success. rex mode=sed field=Email "s/\"@/""/g" just kills the search right away saying there is no data. I am open to other ways to truncate a field as well.

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

To change the field value to just the username, you can use this:

|  makeresults 
|  eval email="user@domain.com" 
|  rex field=email mode=sed "s/@.*//"

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

To change the field value to just the username, you can use this:

|  makeresults 
|  eval email="user@domain.com" 
|  rex field=email mode=sed "s/@.*//"

woodcock
Esteemed Legend

Hey, Jinx!

0 Karma

splunk_newb
Explorer

This works like a treat. In my example that worked (rex mode=sed field=Email "s/\"domain/""/g") the "" was the replace value I was using to replace it with a null or nothing. It looks like your example "s/@.*//g" more or less omits the item to replace it with to do the same thing. I would have never thought of that.

Thanks!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

You beat me.

0 Karma

woodcock
Esteemed Legend

It's now who takes the answer to the dance, it's who goes home with the points!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I shared! Oh, let me up vote your answer, then it will be even. 🙂

0 Karma

woodcock
Esteemed Legend

I tricked him into giving you the points by UpVoting your answer and now you have undone all of my hard work!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Your answer is better anyway. I didn't need to have the g on the end of the rex.

0 Karma

woodcock
Esteemed Legend

I like adding an extra g or 2 to the end.
- Gregg "the extra g says no -ory" Woodcock

0 Karma

woodcock
Esteemed Legend

What extra g?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Editing my answers now are we?

0 Karma

woodcock
Esteemed Legend

I needed another one: Gregg G. Woodcock. The G is for generous (if you laughed, maybe you know Sanford and Son).

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Yeah, I'm plenty old enough for Sanford and Son - "Oh,... my heart!"

Well, as. long as the G went to a Good cause. 🙂

0 Karma

woodcock
Esteemed Legend

Actually, the G is really for Good cause but I couldn't find any place to steal a C.

0 Karma

woodcock
Esteemed Legend

Hey, you're not supposed to post until I write @cpetterborg. OOPS, I just did!

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex mode=sed field=Email "s/@.*//"

niketn
Legend

If you just want to extract user name from email, you can try the following rex command. sed mode does not seem absolutely necessary for me (PS: first two pipes just create a mock email address as per the question):

| makeresults
| eval _raw="user@domain.com" 
| rex "(?<user>[^@]+)@"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...