Splunk Search

How to extract substring from field?

DavideASR
Engager

Hi, i'm trying to extract substring from a field1 to create field3 and then match field2 with field3 

 

The search is:

index=antispam sourcetype=forcepointmail:sec 
| fields msg suser from
| where NOT LIKE(suser,"%".from."%")

But

from=Domain noreply <noreply@domain.com> 

suser=noreply@domain.com

I need to extract the substring contained between <> in the "from"  field and match field "suser" with "created_field" .

 

I want to find each mail where the "From" field is different from "suser" field, so I can find spoofed mails on our antispam device.

 

thx

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To extract the email address from the from field, use the rex command.

| rex field=from "\<(?<fuser>[^>]+)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Swap the fields in the like function.  The first field is the one being examined and suser is the field that's part of the from field.

| where NOT LIKE(from,"%".suser."%")

 

---
If this reply helps you, Karma would be appreciated.

DavideASR
Engager

Ok it helps but isn't the solution,

from= Name Surname <name.surname@domain.com>

suser= name.surname@domain.com

i have to create a field with the substring between <>

created_field=name.surname@domain.com extracted in the "from" field  between the <>

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To extract the email address from the from field, use the rex command.

| rex field=from "\<(?<fuser>[^>]+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...