Splunk Search

How do you extract user names from a field that contains an email address?

PanIrosha
Path Finder

Hi Experts,

I have a data field called "userId" (FirstName.LastName@DomainName) in one of my data sources. Is there a way to create a new field called "user" just by extracting the "FirstName.LastName" part from the "userId" field ?

Thank you in advance

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@PanIrosha,
Try

your search|rex field=userId "(?<user>\w+\.\w+)"

In case your names contain digits and - (hyphen) then use,

your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@PanIrosha,
Try

your search|rex field=userId "(?<user>\w+\.\w+)"

In case your names contain digits and - (hyphen) then use,

your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
Happy Splunking!

PanIrosha
Path Finder

Hi Renjith,

Thank you very much for the quick response. will you be able to tell me how to create the field adding this this please ? i am quite new to splunk

Thank you 🙂

0 Karma

PanIrosha
Path Finder

Hi @renjith.nair

the regex worked fine in my search. apparently , we have few few naming conventions. some are just firstname@domain.com. can you help me to create a regex that detect "everything" before @ sign ?

Thank you very much.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@PanIrosha,

Ok, try this and upvote if it worked 🙂

|rex field=userId "(?<user>.+?(?=@))"
Happy Splunking!

PanIrosha
Path Finder

@renjith.nair

wow. that work like a charm. thank you very much. this regex work fine when i run in the search bar. i can see the field getting extracted. but how can i save this extraction permanently ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?<user>.+?(?=@))"

App Permission: Global

in the search bar, i can get the extracted field when i search with index name

index=asa | rex field=userId "(?<user>.+?(?=@))"

but it doesn't return any results when i search with the sourcetype, source or host.

any idea wht might be the reason ?

Thank you very much Renjith.

NOTE: i am using your exact regex command given in your answers.

Regards
Irosha

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@PanIrosha ,

Hi Irosha,

Since the search works fine with index=, then the field extraction is working.

If you haven't given any index name in the search, there is a property in the user role called Indexes searched by default which will be looked against to find out the indexes the search should consider by default. Unless you change that property , by default it has only main index. You can change that by Settings -> Access controls » Roles » "your role name" and scroll down to find Indexes searched by default

Happy Splunking!
0 Karma

PanIrosha
Path Finder

@renjith.nair

thank you for the prompt response. did i use the correct way to create the field extraction ? is there anything need to be added ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?.+?(?=@))"

App Permission: Global

Thank you very much.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@PanIrosha,
the user field will be created as its used in the named group. Run the below example to check

| makeresults |eval userId="FirstName.LastName@abc.com" |rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...