Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract a part of a field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reschal
Explorer
12-15-2017
12:55 AM
Hey,
i have got a field extraction called mail. So i get different kind of mails as output.
But it appears the following problem: All the mail adresses have a "." at the end and i want to remove the ".".
For example: "xy.z@yahoo.com." shall be "xy.z@yahoo.com"
I tried to solve the problem by extracting the expression without the "." but it won't work.
|rex field=mail "(?<mail>[\s]+)-."
Thanks for your help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
12-15-2017
01:17 AM
Try this
| rex field=mail "(?P<mail>[^\s]+)\."
Let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yunagi
Communicator
12-15-2017
01:22 AM
If you really want to change the field with a Splunk search, then try the following:
| eval mail=substr(mail,0,len(mail)-1)
However, I think the better approach is to improve the actual field extraction. Can you provide the field extraction under Settings/Fields/Field extractions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
12-15-2017
01:17 AM
Try this
| rex field=mail "(?P<mail>[^\s]+)\."
Let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
reschal
Explorer
12-15-2017
01:52 AM
It works. Thanks very much 🙂
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
