Splunk Search
Highlighted

How to extract Email recipients from Splunk python.log?

Path Finder

I got couple of log entries like below

2015-02-04 09:40:06,373 INFO Sending email. subject="Test e-mail from Splunk Alert", resultslink="httpabc?sid=schedulersearchRMD5d85a9270819de479at1423060800_190943", ***recipients="['a.b@abc.com', 'cd@abc.com']"*
host=DEV01 Options| sourcetype=splunkpython Options| source=/apps/splunk02/splunk/var/log/splunk/python.log Options| loglevel=INFO Options| dateyear=2015 Options| sid=schedulerx450986searchRMD5d85a9270819de479at1423060800190943 Options**

2015-02-03 09:40:06,373 INFO Sending email. subject="Test e-mail from Splunk Alert", resultslink="httpabc?sid=schedulersearchRMD5d85a9270819de479at1423060800190943", ***recipients="['a.b@abc.com', 'cd@abc.com','mk@abc.com']"*
host=DEV01 Options| sourcetype=splunkpython Options| source=/apps/splunk02/splunk/var/log/splunk/python.log Options| loglevel=INFO Options| dateyear=2015 Options| sid=schedulersearchRMD5d85a9270819de478at1423060800190943 Options**

I want to create a recipient multivalue field which will be containg email addresses

0 Karma
Highlighted

Re: How to extract Email recipients from Splunk python.log?

Communicator

Something like this:

  * | head 1 | eval recipients="['a.b@abc.com','cd@abc.com','mk@abc.com']" | rex field=recipients "(?<data>[a-z\.@\,\s']+)" | makemv delim="," data

I do proper field extraction in my props.

0 Karma
Highlighted

Re: How to extract Email recipients from Splunk python.log?

Motivator

Give this a spin:

index=_internal source="/opt/splunk/var/log/splunk/python.log"
| rex max_match=0 field=recipients "u'(?<recipient_list>[^']+)"
| stats values(recipient_list) as Recipients count by subject
| sort - count
| addtotals col=t row=f

I'm on Splunk 6.x, so my recipients field looks like this:

recipients="[u'userx@uci.edu', u'usery@uci.edu', u'userz@uci.edu']",

If you are on 6.x then my search should work perfectly for you. But if you are on an older version of Splunk, you may have a different log format. For the example you showed us above, there is no u in front of the single-quoted recipient's email address. If that is still the case, just remove the u so the rex line looks like this:

| rex max_match=0 field=recipients "'(?<recipient_list>[^']+)"

Be sure to vote this up if it works for you! 🙂

Oh, and the max_match=0 makes the number of matches unlimited, so it recurses, creating a multivalued field called recipientlist. `maxmatch` has the default setting of 1 unless you change it.

0 Karma