Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex for extracting email with a trailing whitespace

nmayafit
Path Finder
‎11-13-2017 05:43 AM

Hi,

I have log line according to the next template: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com]

But I want to find users (EMAIL) where the user inserted a whitespace at the start/end of the email: [2017-11-03 13:55:52,945] [MYPROJ] [EMAIL=xxx@yyy.com ] <- notice the end of the email

Somehow no regex will find it.

Is there something in the splunk admin conf that will trim the whitespace automatically?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:55 AM

| rex "(?<email_with_trailing_space>\[EMAIL=[^]]+ \])" | search email_with_trailing_space=*

That will extract the full [EMAIL=...] portion of the log and allow you to search for a space before the closing ].

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎11-13-2017 10:58 AM

This line, in a search, will alter field EMAIL so that all spaces are deleted. 

| rex field=EMAIL mode=sed "s/ //g"

You can also sedmode the events at the indexer while you are ingesting them, which alters the underlying _raw data. 

SEDCMD-foo s/(\[EMAIL=)(\s*)(\S*)(\s*)(\S*)(\s*)(\])/\1\3\5\7/g
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-13-2017 07:57 AM

HI,

Can you please try rex? This rex will extract EMAIL ID and blank space (if any)

.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])

You can try below search also.

YOUR_SEARCH
| rex field=_raw.*EMAIL=(?<EMAIL_ID>.*)(?<BLANK_SPACE>[|.\s])
| table _time EMAIL_ID BLANK_SPACE

This search will list you eail_is as well as BLANK Space at ed of email id(if any).

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:55 AM

| rex "(?<email_with_trailing_space>\[EMAIL=[^]]+ \])" | search email_with_trailing_space=*

That will extract the full [EMAIL=...] portion of the log and allow you to search for a space before the closing ].

Reply
Solved! Jump to solution

nmayafit
Path Finder
‎11-13-2017 08:44 AM

Great catch. REALLY not according to splunk's docs ([\s] etc.)

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...