Splunk Search

How to generate a regular expression to extract the email from my _raw event?

Path Finder

Help me with regular expression in search to pick
hello2017@gmail.com from _raw event below

<string>hello2017@gmail.com</string>
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"

OR better

your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"

View solution in original post

0 Karma

Explorer

your base search | rex "(?[\w\d.-_]+\@[\w\d.-_]+)"

If you feel some other special character would be there on email ID or dmail field, add them along with "\w\d.-_" inside [] in both places

SplunkTrust
SplunkTrust

Here's three answers to your question. Look for the section of the regex that has an @ in the middle of it, and look right and left until you find the edge of the part that is getting the email.

https://answers.splunk.com/answers/310664/regex-to-extract-multiple-email-addresses-in-splun.html
https://answers.splunk.com/answers/426212/how-to-extract-only-unique-email-ids-from-a-detail.html
https://answers.splunk.com/answers/170066/how-to-write-regex-to-extract-multiple-email-addre.html

Once you have something you think will work for your stuff, test it over at regex101.com.

Finally, try this in splunk with YOUR version of the regex until it works for your data.

| makeresults 
| eval myvalue="<string>hello2017@gmail.com</string>" 
| rex field=myvalue "(?<myemail>.*@.*)"

The results of what I put above are not exactly correct, but the code will run enough that you can fix it by putting your working regex in the last line.

0 Karma

SplunkTrust
SplunkTrust

Try this

your base search | rex "(?<email>[\w\d\.\-]+\@[\w\d\.]+)"

OR better

your base search | rex "string\>(?<email>[\w\d\.\-]+\@[\w\d\.]+)\<"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I was gonna make him work for it, since even a cursory google found several easy answers on answer.splunk.com.

0 Karma

Super Champion

There is nothing 100% 🙂 , but as per this site which can reach 99.99% pattern is

([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)

Full example below

|makeresults | eval _raw="<string>hello2017@gmail.co.uk</string>" | rex field=_raw "(?<emailaddr>[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)"| table _raw, emailaddr
0 Karma