Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to extract an email ID using regex

DataOrg
Builder
‎12-12-2017 11:56 PM

The service with id No.[sana.hello@fajfa.com] is not found in header
The service with id No.[eddadat@wifiad.net.au] is not found in header

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-13-2017 03:35 AM

If you need to change the data before it is indexed, then you can use something similar to the following in your props.conf file:

[your-source-type]
SEDCMD-anonemail = s/(No\.\s*\[)[^\]+/\1#####@#####/

If your data actually differs some from your example data, you may have to adjust, but this regex will result in an obfuscated email address inside the square brackets.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-13-2017 12:03 AM

Hi @premranjithj,

Please use regex with sed mode | rex mode=sed "s/(.*)\[(.*)\]/\1[#####]/g"

Based on sample data I have created below query (First 3 lines are used to generate dummy data)

| makeresults 
| eval _raw="The service with id No.[sana.hello@fajfa.com] is not found in hdaher"
| append [ | makeresults | eval _raw="The service with id No.[eddadat@wifiad.net.au] is not found in headder"]
| rex mode=sed "s/(.*)\[(.*)\]/\1[#####]/g"

which is giving below output

The service with id No.[#####] is not found in hdaher
The service with id No.[#####] is not found in headder

EDIT: If you don't want to mask email ID and you want to remove it totally then use regex | rex mode=sed "s/(.*)\[(.*)\]/\1/g"

Sample query:

| makeresults 
| eval _raw="The service with id No.[sana.hello@fajfa.com] is not found in hdaher"
| append [ | makeresults | eval _raw="The service with id No.[eddadat@wifiad.net.au] is not found in headder"]
| rex mode=sed "s/(.*)\[(.*)\]/\1/g"

Which gives output as below

The service with id No. is not found in hdaher
The service with id No. is not found in headder

I hope this helps.

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...