How to extract user email from raw message and ass...

vaishalireddy · ‎05-30-2022

This looks easy but I couldn't figure it out. Any help is appreciated.
How to extract user email from raw message and assign to a field?
For example, here is my event message

message: SpeciaService: Received Status for xxxxxxx Message=xxx(timeStamp=xxxx, job=1234(super=xxxx(id=1376, userId=xxxxx@xxxx.com , status = success)

I want to generate a table with userId and status fields generated from event logs that matches 'SpeciaService' events

I tried below, it didn't work

index=xxxx-* SERVICE="xxx-service" | rex field=SpeciaService: Exception "\S* (?<userId>\S*)" |eval status = if(exception, error:success )| table userId, status

lnn2204 · ‎05-31-2022

Or you can try this:

baseSearch
| rex field=_raw "\suserId\=(?<userId>.*?)\s\,"

gcusello · ‎05-30-2022

Hi @vaishalireddy,

you should already have the field extraction of userId and status because Splunk automatically extract the pairs fieldname=value, in this case you have only to use the table command.

If instead ou don't have fields, you have to extract them using a regex like this:

your_search
| rex "userId\=(?<userId>[^\@]*\@[^ ]*)\s+,\s+status\s+\=\s+(?<status>[^\)]*)"
| table userId status

you can test the regex at https://regex101.com/r/vKPdDK/1

if the format of the message can change use two separated regexes to extarct your two fields.

Ciao.

Giuseppe

ITWhisperer · ‎05-30-2022

Given the example event, try this

| regex "SpeciaService:"
| rex "userid=(?<userid>[^, ])"
| rex "status\s=\s(?<status>\w+)"
| table userid status

However, the format of the log looks odd - if the above doesn't work, please provide an accurate representation of your events.

How to extract user email from raw message and assign to a field?

eval

regex

rex

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?