Extract domain from field

elk2 · October 1, 2018, 9:39am

I want to extract domain from email field that is like this:

smtp.from_mail : "news <newsletters@example.com>"

I would like to use grok or other useful plugin.

elk2 · October 2, 2018, 10:14am

Someone can help me?

bardie · October 3, 2018, 12:57pm

smtp.from_mail : "news \<%{DATA:user}\@%{DATA:domain}\>"

on logstash use

  grok {
    match => [ 'message', 'smtp.from_mail : "news \<%{DATA:user}\@%{DATA:domain}\>"' ]
  }

You can build or test your own grok statements on:

elk2 · October 5, 2018, 1:34pm

Thanks for your reply,
I tried but when I try to print the field domain with stdout plugin it seems don't work..

output{
if [event] == "smtp" {
stdout {
codec => line { format =>"%{[smtp][from]} - %{[domain]} - %{maildomain} - %[maildomain] - %maildomain" }
}
}

I see this results
test@example.com - %{[domain]} - %{domain} - %[domain] - %domain

I tried all combinations to print domain but without success.

system · November 2, 2018, 2:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract domains from a string of email address Logstash	3	1259	March 26, 2019
Logstash Grok - Extract field if field exists & deleting character Logstash	3	464	August 20, 2021
Clean and split email address into two new fields Logstash ingest-pipeline	4	429	April 14, 2021
Grok filter add_field Logstash	6	2077	May 19, 2020
Logstash Filters - Grok a email advice Logstash	4	419	July 10, 2019