topic Re: rex to modify hostname field and where . is there remove it in Splunk Search

rex to modify hostname field and where . is there remove it

surekhasplunk — Tue, 09 Mar 2021 13:18:57 GMT

I have index=syslog where the hostname comes as fqdn and Ip address

i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all after . should be removed and save it in a new field host.

example : hostname column has hostname which looks like abcd-efg-hij-k23-b1.xyz.gmail

Now after using rex/sed i want in the host field abcd-efg-hij-k23-b1 everything after . should be removed.

note: i also have ip address which has . in it so while applying rex the ip addresses should not be considered.

It should only affect/take into consideration the alphanumeric field.

Re: rex to modify hostname field and where . is there remove it

gcusello — Tue, 09 Mar 2021 13:27:29 GMT

Hi @surekhasplunk,

let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?

If at searchtime, try this regex

| rex field=host "^(?<host>[^\.]+)"

if you want to replace the hostname using SEDCMD, you could try:

SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/

Ciao.

Giuseppe

Re: rex to modify hostname field and where . is there remove it

gcusello — Tue, 09 Mar 2021 14:21:16 GMT

Hi @surekhasplunk,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: rex to modify hostname field and where . is there remove it

sumandevops — Thu, 15 Apr 2021 14:52:39 GMT

How to get first part before .

example: host filed is looks like

abdc.4567

I want only 4567

Re: rex to modify hostname field and where . is there remove it

scelikok — Thu, 15 Apr 2021 15:21:05 GMT

Hi @sumandevops,

You can use rex command;

| rex field=host "(?<host_no>\d+)"