Solved: How to extract a part of a field?

reschal · ‎12-15-2017

Hey,

i have got a field extraction called mail. So i get different kind of mails as output.

But it appears the following problem: All the mail adresses have a "." at the end and i want to remove the ".".

For example: "xy.z@yahoo.com." shall be "xy.z@yahoo.com"

I tried to solve the problem by extracting the expression without the "." but it won't work.

|rex field=mail "(?<mail>[\s]+)-."

Thanks for your help!

mayurr98 · ‎12-15-2017

Try this

| rex field=mail "(?P<mail>[^\s]+)\."

Let me know if it helps!

View solution in original post

Yunagi · ‎12-15-2017

If you really want to change the field with a Splunk search, then try the following:

| eval mail=substr(mail,0,len(mail)-1)

However, I think the better approach is to improve the actual field extraction. Can you provide the field extraction under Settings/Fields/Field extractions?

mayurr98 · ‎12-15-2017

Try this

| rex field=mail "(?P<mail>[^\s]+)\."

Let me know if it helps!

reschal · ‎12-15-2017

It works. Thanks very much 🙂

How to extract a part of a field?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to extract a part of a field?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR