Splunk Search

Having difficulties at search trying to use sed to find and replace a @ (at sign)

Explorer

I'm trying to filter down a list of internal email addresses at search time in a field called "email." They are all the same internal mail domain in the format of user@domain.com . I want to truncate them down to everything before the @ sign (so just user instead of user@domain.com ) I've been trying to use a rex sed mode command to do this unsuccessfully. My plan is to replace everything from the at sign to the end of the field with "" to truncate the line. When I attempt to search and replace the @ sign, it never even pulls any data. However if I search and replace anything else like "domain" it works fine. For example, given the email address me@domain.com the following works:

rex mode=sed field=Email "s/\"domain/""/g"

The result is me.com . Does Splunk rex sed mode somehow treat the @ sign as some sort of special character or ? I've tried escaping it in numerous ways without success. rex mode=sed field=Email "s/\"@/""/g" just kills the search right away saying there is no data. I am open to other ways to truncate a field as well.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

To change the field value to just the username, you can use this:

|  makeresults 
|  eval email="user@domain.com" 
|  rex field=email mode=sed "s/@.*//"

View solution in original post

SplunkTrust
SplunkTrust

To change the field value to just the username, you can use this:

|  makeresults 
|  eval email="user@domain.com" 
|  rex field=email mode=sed "s/@.*//"

View solution in original post

Esteemed Legend

Hey, Jinx!

0 Karma

Explorer

This works like a treat. In my example that worked (rex mode=sed field=Email "s/\"domain/""/g") the "" was the replace value I was using to replace it with a null or nothing. It looks like your example "s/@.*//g" more or less omits the item to replace it with to do the same thing. I would have never thought of that.

Thanks!

0 Karma

SplunkTrust
SplunkTrust

You beat me.

0 Karma

Esteemed Legend

It's now who takes the answer to the dance, it's who goes home with the points!

0 Karma

SplunkTrust
SplunkTrust

I shared! Oh, let me up vote your answer, then it will be even. 🙂

0 Karma

Esteemed Legend

I tricked him into giving you the points by UpVoting your answer and now you have undone all of my hard work!

0 Karma

SplunkTrust
SplunkTrust

Your answer is better anyway. I didn't need to have the g on the end of the rex.

0 Karma

Esteemed Legend

I like adding an extra g or 2 to the end.
- Gregg "the extra g says no -ory" Woodcock

0 Karma

Esteemed Legend

What extra g?

0 Karma

SplunkTrust
SplunkTrust

Editing my answers now are we?

0 Karma

Esteemed Legend

I needed another one: Gregg G. Woodcock. The G is for generous (if you laughed, maybe you know Sanford and Son).

0 Karma

SplunkTrust
SplunkTrust

Yeah, I'm plenty old enough for Sanford and Son - "Oh,... my heart!"

Well, as. long as the G went to a Good cause. 🙂

0 Karma

Esteemed Legend

Actually, the G is really for Good cause but I couldn't find any place to steal a C.

0 Karma

Esteemed Legend

Hey, you're not supposed to post until I write @cpetterborg. OOPS, I just did!

0 Karma

Esteemed Legend

Like this:

... | rex mode=sed field=Email "s/@.*//"

SplunkTrust
SplunkTrust

If you just want to extract user name from email, you can try the following rex command. sed mode does not seem absolutely necessary for me (PS: first two pipes just create a mock email address as per the question):

| makeresults
| eval _raw="user@domain.com" 
| rex "(?<user>[^@]+)@"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma