How do I write the regular expression to extract t...

jspvkey · ‎01-08-2016

Hi,

I am really new to Splunk and Regular Expression stuff. I was planning to extract just the domain names of all e-mail senders in my SMTP Log. For example, If the sender field value is store_news @amazon.com, then I just want to extract the domain name which is amazon.com. Can somebody please provide me a way to perform this?

Thanks
Appreciated

mhassan · ‎01-09-2016

Here is another one

@(?\w+.\w{3})

lguinn2 · ‎01-14-2016

This one won't work for all email addresses...

martynoconnor · ‎09-30-2019

Agreed, there are top level domains with shorter and longer lengths. Also the dot isn't escaped.

aljohnson_splun · ‎01-08-2016

Learn Regex

http://regexone.com

http://www.regular-expressions.info/quickstart.html

Search answers:

https://answers.splunk.com/answers/338138/how-to-search-for-and-extract-email-ids-with-dot-t.html
https://answers.splunk.com/answers/190126/how-to-extract-only-the-top-level-domain-tld-from.html

Read about:

jluo_splunk · ‎01-08-2016

If you are uncomfortable with regular expressions, you can use the Interactive Field Extractor. Documentation here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ExtractfieldsinteractivelywithIFX

somesoni2 · ‎01-08-2016

Try something like this

your base search  | eval sender_domain=mvindex(split(sender,"@"),-1) .....

OR

your base search  | rex field=sender ".*@(?<sender_domain>.*)"

thahn · ‎09-30-2019

Based on your answer, I used the following to extract the domain part and sort by number of occurrences for the top 20:

your base search | eval sender_domain=mvindex(split(sender,"@"),-1)  | top limit=20 sender_domain