Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a regular expression to extract the email from my _raw event?

sravankaripe
Communicator
‎03-06-2017 11:01 AM

Help me with regular expression in search to pick
hello2017@gmail.com from _raw event below

<string>hello2017@gmail.com</string>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-06-2017 11:36 AM

Try this

your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"

OR better

your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ckp123
Path Finder
‎04-02-2019 06:27 AM

your base search | rex "(?[\w\d.-_]+\@[\w\d.-_]+)"

If you feel some other special character would be there on email ID or dmail field, add them along with "\w\d.-_" inside [] in both places

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎03-06-2017 11:38 AM

Here's three answers to your question. Look for the section of the regex that has an @ in the middle of it, and look right and left until you find the edge of the part that is getting the email.

https://answers.splunk.com/answers/310664/regex-to-extract-multiple-email-addresses-in-splun.html
https://answers.splunk.com/answers/426212/how-to-extract-only-unique-email-ids-from-a-detail.html
https://answers.splunk.com/answers/170066/how-to-write-regex-to-extract-multiple-email-addre.html

Once you have something you think will work for your stuff, test it over at regex101.com.

Finally, try this in splunk with YOUR version of the regex until it works for your data. 

| makeresults 
| eval myvalue="<string>hello2017@gmail.com</string>" 
| rex field=myvalue "(?<myemail>.*@.*)"

The results of what I put above are not exactly correct, but the code will run enough that you can fix it by putting your working regex in the last line.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-06-2017 11:36 AM

Try this

your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"

OR better

your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"
0 Karma
Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎03-06-2017 11:40 AM

I was gonna make him work for it, since even a cursory google found several easy answers on answer.splunk.com.

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎03-06-2017 11:36 AM

There is nothing 100% 🙂 , but as per this site which can reach 99.99% pattern is 

([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)

Full example below 

|makeresults | eval _raw="<string>hello2017@gmail.co.uk</string>" | rex field=_raw "(?<emailaddr>[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)"| table _raw, emailaddr
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...