Solved: How to extract substring from field?

DavideASR · ‎11-04-2022

Hi, i'm trying to extract substring from a field1 to create field3 and then match field2 with field3

The search is:

index=antispam sourcetype=forcepointmail:sec
| fields msg suser from
| where NOT LIKE(suser,"%".from."%")

But

from=Domain noreply <noreply@domain.com>

suser=noreply@domain.com

I need to extract the substring contained between <> in the "from" field and match field "suser" with "created_field" .

I want to find each mail where the "From" field is different from "suser" field, so I can find spoofed mails on our antispam device.

thx

richgalloway · ‎11-04-2022

To extract the email address from the from field, use the rex command.

| rex field=from "\<(?<fuser>[^>]+)"

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎11-04-2022

Swap the fields in the like function. The first field is the one being examined and suser is the field that's part of the from field.

| where NOT LIKE(from,"%".suser."%")

---
If this reply helps you, Karma would be appreciated.

DavideASR · ‎11-04-2022

Ok it helps but isn't the solution,

from= Name Surname <name.surname@domain.com>

i have to create a field with the substring between <>

created_field=name.surname@domain.com extracted in the "from" field between the <>

richgalloway · ‎11-04-2022

To extract the email address from the from field, use the rex command.

| rex field=from "\<(?<fuser>[^>]+)"

---
If this reply helps you, Karma would be appreciated.

How to extract substring from field?