Splunk Search

Extract multiple unmapped fields using Regex

Nidd
Path Finder

Hi,

I have the following log from which I need to extract 2 fields:

 

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com] [4223TD-E3DE-2345-8E59-1-YDHGC]   Validation failed.Invalid. Response JSON {"emailAddress":"mynewemail","statusReason":"failed_syntax_check","domain":"","processedAt":"2020-11-16 20:52:30 GMT-0700 (MST)","cache":false,"account":"","status":"invalid"}

 


I need to show the below values as 2 different fields in a table:

  • my email@yahoo.com as Email1
  • mynewemail as Email2

Was not able to fetch Email1 field. Tried to fetch the Email2 field as below. But that didnt work either.

 

^(?:[^<\n]*<){2}\s+"\{"\w+":"(?P<emailAddress>[^"]+)

 

 

Please extend your help.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(\[[^\[]+){2}\[(?<email1>[^\]]+).*emailAddress\":\"(?<email2>[^\"]+)"

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd, try this:

 

| rex "\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/1

Ciao.

Giuseppe

0 Karma

Nidd
Path Finder

Thank you @gcusello for the reply.

When trying to bring these fields in a table, the email2 field was perfect. But the email1 field came out like:

[INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Nidd,

sorry: I forgot a slice of my regex:

| rex "\]\s+\[(?<email1>[^\@]+\@[^\@]+)\]\s+\[.*emailAddress\":\"(?<email2>[^\"]+)"

that you can test at https://regex101.com/r/ZLI9NN/2

Ciao.

Giuseppe 

Nidd
Path Finder

Thank you very much @gcusello . That worked !!!

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...