Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract a string from email id from raw logs ?

pavanae
Builder
‎02-12-2020 11:06 AM

One of the sample log is as follows :- 

time="2020-02-12 13:45:37" user-name="abc12345@def-ghi-01.com" proto="HTTPS"

Now I want to extract the abc12345 from the raw logs user-name as "user_name". For doing that I have given the below regex in props.conf for that sourcetype 

   props.conf :-
  EXTRACT-user = user-name=(?[^+@]*)@*\sproto=

Still the above regex doesn't worked on filtering the abc12345 under the user_name. I see the abc12345@def-ghi-01.com under the user_name field.

I want to exclude the @.....com and wanted to extract only the the username string prior to the @ sign.

Any help would be great.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-12-2020 11:55 AM

Try this. You should test it out with rex first inline of your search to verify it works 

user-name\=\"(?<user>[a-z1-9]+)


| rex user-name\=\"(?<user>[a-z1-9]+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-12-2020 09:22 PM

Hi

Try this

[your source type]
EXTRACT-username = ^(?:[^"\n]*"){3}(?P<username>[^@]+)

or

[your source type]
EXTRACT-username = user\-name\=\"(?P<username>[^@]+)
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-12-2020 12:01 PM

Try this (props.conf on your search head)

   EXTRACT-user = user-name=\"(?<user_name>[^\@]+)
0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎02-12-2020 07:29 PM

Thanks for the response @somesoni2 . I tried the regex but it's not working for some reason I don't understand why. I could be missing something since the regex seems good and it should work. It's just getting all the emails without skipping the @ part for some reason.

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-12-2020 11:55 AM

Try this. You should test it out with rex first inline of your search to verify it works 

user-name\=\"(?<user>[a-z1-9]+)


| rex user-name\=\"(?<user>[a-z1-9]+)
0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎02-12-2020 07:27 PM

thanks for the response @skoelpin It working for now but what if there are some non numeric or non alphabetic characters in the username. I think this regex wont work if an username has abc_123@xyz.com

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...