topic Split and display in Splunk Search

Split and display

priya0709 — Wed, 16 Sep 2020 07:27:30 GMT

My requirement is to display just domain (eg Corp)

From below Computername

Computername - <host>. Corp. <Domain>. Com

Re: Split and display

bowesmana — Wed, 16 Sep 2020 07:43:31 GMT

You can use either split or rex

| rex field=Computername "[^\.]*\.(?<Corp>[^\.]*)" OR | eval Corp=mvindex(split(Computername,"."),1,1)

Hope this helps

Re: Split and display

ITWhisperer — Wed, 16 Sep 2020 07:46:48 GMT

It isn't clear if "Computername" is part of the field you are trying to extract from or the name of the field. If it is part of the field (assuming _raw)

| rex "Computername - \w+\.(?<Corp>[^\.]+)\.Com"

If it is the field name

| rex field=Computername "^\w+\.(?<Corp>[^\.]+)\.Com"

This assume <host> is at the beginning of Computername. If not, just remove the ^ from the beginning

Both of these assume that there are only two dots in the computername

Re: Split and display

priya0709 — Wed, 16 Sep 2020 08:58:13 GMT

Thanks for your reply

Computername is from raw dat

But actual field is 'Hostdomain' under which I want to display 'corp' from computername

Computername format - -

<HOST>. Corp. <domain>. com

Re: Split and display

ITWhisperer — Wed, 16 Sep 2020 09:05:48 GMT

In that case

| rex field=Hostdomain "^[^\.]+\.(?<Corp>[^\.]+)"