Splunk Search

How do you extract user names from a field that contains an email address?

PanIrosha
Path Finder

Hi Experts,

I have a data field called "userId" (FirstName.LastName@DomainName) in one of my data sources. Is there a way to create a new field called "user" just by extracting the "FirstName.LastName" part from the "userId" field ?

Thank you in advance

0 Karma
1 Solution

renjith_nair
Legend

@PanIrosha,
Try

your search|rex field=userId "(?<user>\w+\.\w+)"

In case your names contain digits and - (hyphen) then use,

your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

@PanIrosha,
Try

your search|rex field=userId "(?<user>\w+\.\w+)"

In case your names contain digits and - (hyphen) then use,

your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂

PanIrosha
Path Finder

Hi Renjith,

Thank you very much for the quick response. will you be able to tell me how to create the field adding this this please ? i am quite new to splunk

Thank you 🙂

0 Karma

PanIrosha
Path Finder

Hi @renjith.nair

the regex worked fine in my search. apparently , we have few few naming conventions. some are just firstname@domain.com. can you help me to create a regex that detect "everything" before @ sign ?

Thank you very much.

0 Karma

renjith_nair
Legend

@PanIrosha,

Ok, try this and upvote if it worked 🙂

|rex field=userId "(?<user>.+?(?=@))"
---
What goes around comes around. If it helps, hit it with Karma 🙂

PanIrosha
Path Finder

@renjith.nair

wow. that work like a charm. thank you very much. this regex work fine when i run in the search bar. i can see the field getting extracted. but how can i save this extraction permanently ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?<user>.+?(?=@))"

App Permission: Global

in the search bar, i can get the extracted field when i search with index name

index=asa | rex field=userId "(?<user>.+?(?=@))"

but it doesn't return any results when i search with the sourcetype, source or host.

any idea wht might be the reason ?

Thank you very much Renjith.

NOTE: i am using your exact regex command given in your answers.

Regards
Irosha

0 Karma

renjith_nair
Legend

@PanIrosha ,

Hi Irosha,

Since the search works fine with index=, then the field extraction is working.

If you haven't given any index name in the search, there is a property in the user role called Indexes searched by default which will be looked against to find out the indexes the search should consider by default. Unless you change that property , by default it has only main index. You can change that by Settings -> Access controls » Roles » "your role name" and scroll down to find Indexes searched by default

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

PanIrosha
Path Finder

@renjith.nair

thank you for the prompt response. did i use the correct way to create the field extraction ? is there anything need to be added ?

i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction

Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?.+?(?=@))"

App Permission: Global

Thank you very much.

0 Karma

renjith_nair
Legend

@PanIrosha,
the user field will be created as its used in the named group. Run the below example to check

| makeresults |eval userId="FirstName.LastName@abc.com" |rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...