Solved: simple email regex

kleckns · ‎07-27-2017

Ive been trying most of the regex solutions on this forum, but cant get any of them to work. Im trying to extract emails into a new field without any of the extra junk

field value needs regex:
 "John Doe" <john.doe@somedomain.tld>

search:
    ... | rex field=from "(?<from>(?<=<)[^>]+)" | table from, other fields, etc...

im looking for john.doe@somedomain.tld without any quotes or gt/lt characters around it in the from field

somesoni2 · ‎07-27-2017

This should do it.

... | rex field=from "(\<|\;)(?<from>[^\>\;]+)" | table from, other fields, etc...

View solution in original post

somesoni2 · ‎07-27-2017

This should do it.

... | rex field=from "(\<|\;)(?<from>[^\>\;]+)" | table from, other fields, etc...

kleckns · ‎07-28-2017

your regex worked great. Part of the problem was a dumb mistake on my part. i had switched the fields around in the field=email_from "(<|\;)(?[^>\;]+)"

the orig field that had the values is email_from, not from. i wanted to create a new field called from... so i had it backwards.

Thank you for the regex!

simple email regex

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!