Hello to the community!
I have an email field with values following this pattern: <example@example.com>
Is there any way to remove the special characters <
and >
and index the value as example@example.com?
Thanks!
Hello,
Several ways to do it. Please check this accepted answer
https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html
Also, you could achieve something similar with SEDCMD. PLease see the props.conf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
simple example: SEDCMD-hash = "s/this/that/g"
Make sure it doesn't conflict with other <> in the same log.
Hope this helps!
Thanks,
Raghav
Like this:
... | rex field=MyEmailFieldName mode=sed "s/[<>]//g"
This works, but I want it to have in indexing time. I don't want the special characters to show up and need to map it on CIM so as Enterprise Security will correlate this info as an email without < and >
.
Then use SEDCMD (with the same sed string without the quotes)"
http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Anonymizedatausingconfigurationfiles
Hello,
Several ways to do it. Please check this accepted answer
https://answers.splunk.com/answers/172300/how-to-extract-the-email-address-from-the-my-logs.html
Also, you could achieve something similar with SEDCMD. PLease see the props.conf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
simple example: SEDCMD-hash = "s/this/that/g"
Make sure it doesn't conflict with other <> in the same log.
Hope this helps!
Thanks,
Raghav
I have put in my /opt/splunk/etc/system/local/props.conf the following:
[mysourcetype]
SEDCMD-stripEmail = "s/[<>]//g"
But it seems that the emails are indexed as: <example@example.com>
.
Any ideas?
Try without quotes
[mysourcetype]
SEDCMD-stripemail=s/[<>]//g as @woodcock stated
Hope this helps!
Thanks,
Raghav
Hi @andresito123
I think the pattern you were trying to show didn't render properly. I would edit your question and re-paste your sample pattern, but be sure to use the text editing tools. Highlight your code, then click on the "Code Sample" button for it to display.
Fixed with an edit!