Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I write the regular expression to extract the domain name from email addresses in SMTP logs?

jspvkey
Explorer
‎01-08-2016 11:28 AM

Hi,

I am really new to Splunk and Regular Expression stuff. I was planning to extract just the domain names of all e-mail senders in my SMTP Log. For example, If the sender field value is store_news @amazon.com, then I just want to extract the domain name which is amazon.com. Can somebody please provide me a way to perform this?

Thanks
Appreciated

0 Karma
Reply

mhassan
Path Finder
‎01-09-2016 10:08 PM

Here is another one

@(?\w+.\w{3})
0 Karma
Reply

lguinn2
Legend
‎01-14-2016 03:54 PM

This one won't work for all email addresses...

0 Karma
Reply

martynoconnor
Communicator
‎09-30-2019 02:02 AM

Agreed, there are top level domains with shorter and longer lengths. Also the dot isn't escaped.

0 Karma
Reply

jluo_splunk
Splunk Employee
Splunk Employee
‎01-08-2016 11:43 AM

If you are uncomfortable with regular expressions, you can use the Interactive Field Extractor. Documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply

somesoni2
Revered Legend
‎01-08-2016 11:38 AM

Try something like this

your base search  | eval sender_domain=mvindex(split(sender,"@"),-1) .....

OR 

your base search  | rex field=sender ".*@(?<sender_domain>.*)"
Reply

thahn
Explorer
‎09-30-2019 01:14 AM

Based on your answer, I used the following to extract the domain part and sort by number of occurrences for the top 20:

your base search | eval sender_domain=mvindex(split(sender,"@"),-1)  | top limit=20 sender_domain
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...