我在寻找一个正则表达式,它将使我能够在第一行中捕获邮箱的名称,然后在回车后作为'count'组捕获相应的值。下面是一个示例,总共大约有14个邮件地址;
Protection.admin@test.com
705
Go.live@test.com
14
ABCpremier@test.com
29
reassuredtest.com
20
lifetest@test.com
8
我已经使用了Rubular,我能够捕获'count'的值,可以这么说,但是当在splunk中使用它时-我只捕获705的第一个值,因为我认为它与'发生了冲突。' in 'Go.live';
[a-z.]+@test.comrn](?<count>[^nr]+)
有人能帮助我在一个查询,将循环,捕获邮箱名称作为一个捕获组,然后计数值进行它?
要在Splunk中从正则表达式中获得多于第一个匹配,您必须使用rex命令的max_match选项。提取所有邮箱名称和计数后,将它们配对,分成单独的事件,然后再次分开。如果您尝试在不配对名称和计数的情况下拆分事件,那么您将失去名称与其计数之间的关联。
这是一个随处运行的示例查询。注意,我必须修改第四个电子邮件地址。
| makeresults | eval _raw="Protection.admin@test.com
705
Go.live@test.com
14
ABCpremier@test.com
29
reassured@test.com
20
lifetest@test.com
8"
```Commands above create demo data. Delete IRL```
```Extract the mailbox names and counts```
| rex max_match=0 "(?<mailbox>[^@]+)@[sS]+?(?<count>d+)"
```Combine each mailbox name with its count```
| eval results=mvzip(mailbox,count)
```Remove line ends```
| eval results=trim(results,"
")
```Separate each name/count pair into their own events```
| mvexpand results
```Break out the mailbox and count values into separate fields again```
| eval results=split(results,",")
| eval mailbox=mvindex(results, 0), count=mvindex(results, 1)
```Display the results```
| table mailbox count