Populate Custom Field from Regex

Let me start by apologizing for my lack of knowledge relating to perl scripting and RT as I am fairly new to both. I have been looking for a way to regex search the contents of an email-generated incident report for the username contained within the forwarded log, and populate a custom field in the report. I have already created the custom field “DLP User”, and set it to “on create” with the action of “user defined” and a blank template setting. The field has also been applied to the proper queue.

A ticket gets generated with the following content in the body of the email:

Source IP:
Source Port: 0
Source Username (from event): Bob, Smith
Source Network: other

I would like to extract the username “Bob, Smith” from the body and have it populate in the custom field “DLP User”. I think the action code should be something like:

Field => ‘DLP User’,
Value => $username

My main struggle is figuring out how to search the body of the email that generated the report. Does anyone have any experience doing something like this?


Have you had a look at the command by mail extension?

Best Regards


This would be more useful if I had more control over the formatting of the email alerts that are being sent to RT. Unfortunately I dont.