Splunk Search

How to create a regex domain to not include "@" and terminate capture before ">"?

Builder

Hi,
I have been tinkering with regex101 for some time now and no luck.

I have a field called sender

Return-Path:<someName@someDomain.com>
Return-Path:<someName@someDomain.com.blah>

I want to regex the sender so that I get

someDomain.com
someDomain.com.blah

So I want the string to start after @ and end before >

here is what I started with

... | rex field=sender "@(?<domain>.*)"  

Thank you

Tags (2)
0 Karma
1 Solution

Ultra Champion

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

View solution in original post

SplunkTrust
SplunkTrust

I like this approach myself

 (?<=@)(?<domainName>.*)(?=>)
0 Karma

Ultra Champion

Any reason for why you like that approach? It is harder to read and if I interpret the regex101 execution info correctly a lot less efficient than a straightforward "@(?<domain>.[^\>]+)".

Given the 2 line sample from the question, regex101 reports 13 steps for my solution and 125 steps for yours.

0 Karma

SplunkTrust
SplunkTrust

Oh it’s less efficient for sure. I like it because it opens the user’s eyes to reverse and forward lookups etc.

0 Karma

Builder

thanks, I will check it out

0 Karma

Ultra Champion

Just add the >, such as - ... | rex field=sender "@(?<domain>.*)>"

0 Karma

Path Finder

Try this:

| rex field=sender "@(?<domain>.[^\>]+)"
0 Karma

Builder
"@(?<domain>.*)>"
0 Karma

Ultra Champion

Close, try this:

| rex field=sender "@(?<domain>[^\>]+)"

You want to read only characters not equal to >. https://regex101.com/r/WbsXgT/1

View solution in original post