Splunk Search

Trying to get the domain from multiple email recipients using rex

Explorer

sourcetype=mysource | rex field=shared_with "(?P[A-Za-z0-9]+.[a-zA-Z]+)$"

emails going to several different recipients and domains (google, yahoo, msn etc.)
When I use this I get 1 result but not of the others. Someone recommended using a sed command to strip everything before the @ however I can seem to get it to work.

0 Karma
1 Solution

Motivator

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

View solution in original post

Motivator

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

View solution in original post

Champion

Slight variation to your 2nd rex:

| rex max_match=0 field=shared_with "(^|, )(?<name>[^@ ]+)@(?<domain>[^,]+)(,|$)"

Prevents getting , as a prefix to name.

Explorer

Thanks gokadroid, I made a couple of adjustments and it is working great, thanks!
index=mine sharedwith=@
| rex max
match=0 field=shared_with "(^|, )(?[^@ ]+)@(?[^,]+)(,|$)" | table name, domain

0 Karma

Motivator

Awesome...happy to have helped.

0 Karma

Explorer

Jan 22 20:06:12 ttjtsxj00 syslog[0233]: - - [Shirlene@2024 activitytype="Share" createdtimestamp="2012-00-00D20:02:04" fromdetect="0" insertedtimestamp="2012-00-00D20:02:09" instance="L006f51sf" objecttype="File" service="secure" severity="informational" sharedwith="mark@diohnasypmxzjic.com, bart@diohnasypmxzjic.com, arat@toshiko.com, ken.smith@toshiko.com, eva.@one.toshiko.com, randal@toshiko.com, libby@wh.toshiko.com, azzie.hailey@one.toshiko.com, amy@diohnasypmxzjic.com, loretta.mark@one.toshiko.com, zenaida@one.toshiko.com, cherrie@diohnasypmxzjic.com, marcy@diohnasypmxzjic.com, genny@diohnasypmxzjic.com" source="KAY" user="natalya.h.lisabeth@toshiko.com"] User shared Deandrea document

domain and user data has been randomized

0 Karma

Based on your sample code above, I'm guessing you have a field called shared_with, and each instance of the field contains just a single email address. If so, this should work for you:

sourcetype=mysource
| rex field="shared_with" "@(?<domain>.*)$"

It just looks for the @ in the field and captures everything after it into a new field called domain.

0 Karma

SplunkTrust
SplunkTrust

Could you provide some sample data please.

0 Karma