Splunk Search

How to create a regex domain to not include "@" and terminate capture before ">"?

Log_wrangler
Builder

Hi,
I have been tinkering with regex101 for some time now and no luck.

I have a field called sender

Return-Path:<someName@someDomain.com>
Return-Path:<someName@someDomain.com.blah>

I want to regex the sender so that I get

someDomain.com
someDomain.com.blah

So I want the string to start after @ and end before >

here is what I started with

... | rex field=sender "@(?<domain>.*)"  

Thank you

Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

View solution in original post

jkat54
SplunkTrust
SplunkTrust

I like this approach myself

 (?<=@)(?<domainName>.*)(?=>)
0 Karma

FrankVl
Ultra Champion

Any reason for why you like that approach? It is harder to read and if I interpret the regex101 execution info correctly a lot less efficient than a straightforward "@(?<domain>.[^\>]+)".

Given the 2 line sample from the question, regex101 reports 13 steps for my solution and 125 steps for yours.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Oh it’s less efficient for sure. I like it because it opens the user’s eyes to reverse and forward lookups etc.

0 Karma

Log_wrangler
Builder

thanks, I will check it out

0 Karma

ddrillic
Ultra Champion

Just add the >, such as - ... | rex field=sender "@(?<domain>.*)>"

0 Karma

jodyfsu
Path Finder

Try this:

| rex field=sender "@(?<domain>.[^\>]+)"
0 Karma

Log_wrangler
Builder
"@(?<domain>.*)>"
0 Karma

FrankVl
Ultra Champion

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...