Splunk Search
Highlighted

extract a string from email id from raw logs ?

Builder

One of the sample log is as follows :-

time="2020-02-12 13:45:37" user-name="abc12345@def-ghi-01.com" proto="HTTPS" 

Now I want to extract the abc12345 from the raw logs user-name as "user_name". For doing that I have given the below regex in props.conf for that sourcetype

   props.conf :-
  EXTRACT-user = user-name=(?[^+@]*)@*\sproto=

Still the above regex doesn't worked on filtering the abc12345 under the username. I see the abc12345@def-ghi-01.com under the username field.

I want to exclude the @.....com and wanted to extract only the the username string prior to the @ sign.

Any help would be great.

0 Karma
Highlighted

Re: extract a string from email id from raw logs ?

SplunkTrust
SplunkTrust

Try this. You should test it out with rex first inline of your search to verify it works

user-name\=\"(?<user>[a-z1-9]+)


| rex user-name\=\"(?<user>[a-z1-9]+)

View solution in original post

0 Karma
Highlighted

Re: extract a string from email id from raw logs ?

Builder

thanks for the response @skoelpin It working for now but what if there are some non numeric or non alphabetic characters in the username. I think this regex wont work if an username has abc_123@xyz.com

0 Karma
Highlighted

Re: extract a string from email id from raw logs ?

SplunkTrust
SplunkTrust

Try this (props.conf on your search head)

   EXTRACT-user = user-name=\"(?<user_name>[^\@]+)
0 Karma
Highlighted

Re: extract a string from email id from raw logs ?

Builder

Thanks for the response @somesoni2 . I tried the regex but it's not working for some reason I don't understand why. I could be missing something since the regex seems good and it should work. It's just getting all the emails without skipping the @ part for some reason.

0 Karma
Highlighted

Re: extract a string from email id from raw logs ?

Champion

Hi

Try this

[your source type]
EXTRACT-username = ^(?:[^"\n]*"){3}(?P<username>[^@]+)

or

[your source type]
EXTRACT-username = user\-name\=\"(?P<username>[^@]+)
0 Karma