Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to get the domain from multiple email recipients using rex

Dallastek
Explorer
‎01-22-2018 12:22 PM

sourcetype=mysource | rex field=shared_with "(?P[A-Za-z0-9]+.[a-zA-Z]+)$"

emails going to several different recipients and domains (google, yahoo, msn etc.)
When I use this I get 1 result but not of the others. Someone recommended using a sed command to strip everything before the @ however I can seem to get it to work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-22-2018 03:46 PM

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-22-2018 03:46 PM

Here is what u can try

1) If the data is not already extracted in a field extract it first in shared_with field

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"

2) Next work on this field to extract all the domain names using rex iwth max_match=0

| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"

3) Now you can choose fields name and domain the way you want, either to table it directly [it is a multivalue field]

| table name, domain

Here is complete query

sourcetype=mysource
| rex "shared_with=\"(?<shared_with>[^\"]+)"
| rex field=shared_with max_match=0 "(?<name>[^@]+)@(?<domain>[^,\"\s]+)"
| table name, domain

Next you can use mvexpand on domain field to make the values individual field values rather than a multivalue field.

Reply
Solved! Jump to solution

micahkemp
Champion
‎01-22-2018 08:01 PM

Slight variation to your 2nd rex:

| rex max_match=0 field=shared_with "(^|, )(?<name>[^@ ]+)@(?<domain>[^,]+)(,|$)"

Prevents getting , as a prefix to name.

Reply
Solved! Jump to solution

Dallastek
Explorer
‎01-23-2018 06:21 AM

Thanks gokadroid, I made a couple of adjustments and it is working great, thanks!
index=mine shared_with=@
| rex max_match=0 field=shared_with "(^|, )(?[^@ ]+)@(?[^,]+)(,|$)" | table name, domain

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-23-2018 06:27 AM

Awesome...happy to have helped.

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎01-22-2018 02:19 PM

Jan 22 20:06:12 ttjtsxj00 syslog[0233]: - - [Shirlene@2024 activity_type="Share" created_timestamp="2012-00-00D20:02:04" from_detect="0" inserted_timestamp="2012-00-00D20:02:09" instance="L006f51sf" object_type="File" service="secure" severity="informational" shared_with="mark@diohnasypmxzjic.com, bart@diohnasypmxzjic.com, arat@toshiko.com, ken.smith@toshiko.com, eva.@one.toshiko.com, randal@toshiko.com, libby@wh.toshiko.com, azzie.hailey@one.toshiko.com, amy@diohnasypmxzjic.com, loretta.mark@one.toshiko.com, zenaida@one.toshiko.com, cherrie@diohnasypmxzjic.com, marcy@diohnasypmxzjic.com, genny@diohnasypmxzjic.com" source="KAY" user="natalya.h.lisabeth@toshiko.com"] User shared Deandrea document

domain and user data has been randomized

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-22-2018 01:47 PM

Based on your sample code above, I'm guessing you have a field called shared_with, and each instance of the field contains just a single email address. If so, this should work for you:

sourcetype=mysource
| rex field="shared_with" "@(?<domain>.*)$"

It just looks for the @ in the field and captures everything after it into a new field called domain.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎01-22-2018 01:27 PM

Could you provide some sample data please.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...