Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Trim string at @ - need help creating rex search

katzr
Path Finder
‎09-12-2017 10:24 AM

Hello,

I cannot figure out the syntax of the rex function. I have a field called email with multiple domains: katz.r@blah.com example@blahblah.com. I need to create a new field where just katz.r and example are returned- so it is cut off at the @ sign. I cannot figure out the syntax of rex to write it and the split function keeps both the values: katz.r and blah.com-which is not what I want. I also tried rtim but I that isn't working for a field- just a given string.

Thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-12-2017 11:42 AM

So if you just want to isolate the username from the domain in the email field into a new field (I'm using user), you can do that something like this:

... | eval user=email | rex field=user mode=sed "s/@\S+//g"

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎09-12-2017 12:03 PM

@katzr, Similar question was asked a day before... https://answers.splunk.com/answers/569242/having-difficulties-at-search-trying-to-use-sed-to.html. @cpetterborg, with accepted answer to that question, has already answered here with his accepted answer using sed, following is rex on similar lines but without sed:

 | makeresults
 | eval _raw="user@domain.com" 
 | rex "(?<user>[^@]+)@"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-12-2017 11:42 AM

So if you just want to isolate the username from the domain in the email field into a new field (I'm using user), you can do that something like this:

... | eval user=email | rex field=user mode=sed "s/@\S+//g"
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎09-12-2017 11:11 AM 
| makeresults | eval email="anybody@mail.com" | rex field=email "^(?<firstPart>.*)@" | table email, firstPart

I am assuming your events have a field called 'email' with just one value per event, but across events there are multiple values.
If your email field contains multiple email addresses in each event, the approach would be different. So please clarify, if this is not what you need.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-12-2017 10:34 AM

Hi
why do you want to use regex?
try using makemv and mvexpand, something like this
index=_internal | head 1| eval IP="katz.r@blah.com example@blahblah.com" | makemv IP | mvexpand IP | table IP
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

katzr
Path Finder
‎09-12-2017 10:38 AM

I need to perform this action for the whole field email- not just those example strings

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-12-2017 10:47 AM

Could you share an example to extract fields?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

katzr
Path Finder
‎09-12-2017 10:51 AM

The field is called email and contains values of a typical email. And I want a new field that just includes the portion of the email string before the @.

So katz.r@blahblah.com is a value in the field Email. And I want just katz.r in a new field.

0 Karma
Reply
Solved! Jump to solution

katzr
Path Finder
‎09-12-2017 10:51 AM

Thanks for help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...