Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using regex to extract domain from delimited email recipients, and then count them

jamesklassen
Path Finder
‎03-23-2011 05:30 PM

I need to count the number of incoming emails from external and internal sources, and the number going out to internal and external sources.

My data has sender_address and recipient_address fields. They look like: "email1@domain.com;email2@domain2.com"

I have used regex to extract the domain but I am having trouble extracting the domain for additional email addresses when specified (delimited by 😉 

index=hubtracking | rex field=sender_address ".[^@]+?@(?<sender_domain>.+)" | rex field=recipient_address ".[^@]+?@(?<recipient_domain>.+)" | stats count as TotalMessages, count(eval(sender_domain="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromInternal, (eval(sender_domain!="mydomain.ca" AND recipient_domain="mydomain.ca")) as FromExternal

This kind of works...but the problem is that I'm only counting the first address specified in that field. I imagine that I first need to extract only the domain names, and then count them?

Tags (1)
0 Karma
Reply

jamesklassen
Path Finder
‎03-23-2011 08:54 PM

Got it, here's an example for anyone else working to get stats from Exchange 2010 message tracking logs:

index=hubtracking NOT SystemMailbox* | dedup message_id | rex field=sender_address "[a-zA-Z][\w\.-]*[a-zA-Z0-9]@(?<sender_domain>[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z])" | rex field=recipient_address "[a-zA-Z][\w\.-]*[a-zA-Z0-9]@(?<recipient_domain>[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z])" | stats sum(recipient_count) as TotalMessages, count(eval(sender_domain="yourdomain.com" AND recipient_domain="yourdomain.com")) as FromInternal
0 Karma
Reply

jamesklassen
Path Finder
‎03-23-2011 08:05 PM

I have the regex now, I just need to figure out how to count all of the domains now: rex field=sender_address "[a-zA-Z][\w.-][a-zA-Z0-9]@(?[a-zA-Z0-9][\w.-][a-zA-Z0-9].[a-zA-Z][a-zA-Z.]*[a-zA-Z])" | where(name = ";")

0 Karma
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top