Solved: How to create a regex domain to not include "@" an...

Log_wrangler · ‎06-28-2018

Hi,
I have been tinkering with regex101 for some time now and no luck.

I have a field called sender

Return-Path:<someName@someDomain.com>
Return-Path:<someName@someDomain.com.blah>

I want to regex the sender so that I get

someDomain.com
someDomain.com.blah

So I want the string to start after @ and end before >

here is what I started with

... | rex field=sender "@(?<domain>.*)"

Thank you

FrankVl · ‎06-28-2018

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

View solution in original post

jkat54 · ‎06-28-2018

I like this approach myself

 (?<=@)(?<domainName>.*)(?=>)

FrankVl · ‎06-28-2018

Any reason for why you like that approach? It is harder to read and if I interpret the regex101 execution info correctly a lot less efficient than a straightforward "@(?<domain>.[^\>]+)".

Given the 2 line sample from the question, regex101 reports 13 steps for my solution and 125 steps for yours.

jkat54 · ‎06-28-2018

Oh it’s less efficient for sure. I like it because it opens the user’s eyes to reverse and forward lookups etc.

Log_wrangler · ‎07-05-2018

thanks, I will check it out

ddrillic · ‎06-28-2018

Just add the >, such as - ... | rex field=sender "@(?<domain>.*)>"

jodyfsu · ‎06-28-2018

Try this:

| rex field=sender "@(?<domain>.[^\>]+)"

Log_wrangler · ‎06-28-2018

"@(?<domain>.*)>"

FrankVl · ‎06-28-2018

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

How to create a regex domain to not include "@" and terminate capture before ">"?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?