Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex for normalizing VERP styled e-mail addresses
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
For better bounce handling, we're using VERP styled from-addresses when sending mails through our postfix. So when splunk parses the mail logs, I have values in the from-field like this:
from=<bounce+baAABNQIIAAAAAMAAAARZXNEA@newsletter.domain.com>
Now I'm searching for a regex for search time extraction to remove the VERP id (all after the +).
I tried to use a lookahead ?=, which when matches doesn't get added to the whole mach:
\<(?<realfrom>[a-zA-Z]+(?=\+{1}[a-zA-Z]+)@.*)\>
But this didn't work so far. Any ideas how to get rid of the VERP id?
Thanks Simon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only valid option I can think of is to use the rex command with mode=sed to eliminate this part from the email address:
... | rex field=mail mode=sed "s/\+\w+@/@/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only valid option I can think of is to use the rex command with mode=sed to eliminate this part from the email address:
... | rex field=mail mode=sed "s/\+\w+@/@/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, seems like there's no other possibility.
I also got an answer from support that splunk doesn't replace more than one matching group in transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this:
rex "\<(?<realfrom>\S+)\+\w+@"
I tested this with this search on my system:
* | head 1 | eval blah="from=<bounce+baAABNQIIAAAAAMAAAARZXNEA@newsletter.domain.com>" | rex field=blah "\<(?<realfrom>\S+)\+\w+@" | table blah realfrom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh ok. In that case ziegfried is right, you'll want to use rex in sed mode.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for your answer, but it's important that I get the domain name (newsletter.domain.com) in my match too. Only using the username of the email address for identifying senders is not distinct enough.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
