topic Re: Extract via rex a list of hostnames from a block of text in Splunk Search

Extract via rex a list of hostnames from a block of text

swangertyler — Wed, 19 Jun 2019 20:59:33 GMT

I am trying to get a list of hostnames from a block of text via rex. I know I want the first string of every newline after the string "Please retire the following nodes(s):"

I couldnt solve for that, so I figured just getting all of the text after that string was "close enough" for now. I cannot get that to work right either.

| rex field=description "(?mis)Please retire the following nodes\(s\):\n(?P<hostname>.*).\n"

That doesn't return me anything. I have tried using online testers, and that regex seems to pass. What am I missing?

Plus, if anyone wants to flex their regex-fu and help me just get the first string on every new line vs. solving my "adjusted" problem, that is cool with me too.

Frankly, any help is appreciated.

Re: Extract via rex a list of hostnames from a block of text

swangertyler — Wed, 30 Sep 2020 00:58:26 GMT

the "block of text" takes the following form.

Please retire the following nodes(s):
hostname1 node_id: "text I dont need"
hostname2 node_id: "text I dont need"
hostname3 node_id: "text I dont need"
.
.
.
hostnameN node_id: "text I dont need"
Property: "text I dont need"
~~~

and what I would like is a list
hostname1
hostname2
.
.
.
hostnameN

Re: Extract via rex a list of hostnames from a block of text

MuS — Wed, 19 Jun 2019 23:35:16 GMT

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

Re: Extract via rex a list of hostnames from a block of text

swangertyler — Thu, 20 Jun 2019 14:46:37 GMT

MuS. Nailed it. I had to tweak it minorly to get it to work with my real data since my "hostnameM" takes the form of a fully qualified domain name.

 | makeresults 
 | eval message="Please retire the following nodes(s):
 fully.qualified.domain1 node_id: \"text I dont need\"
     fully.qualified.domain2 node_id: \"text I dont need\"
     fully.qualified.domain3 node_id: \"text I dont need\"
     .
 .
 .
 fully.qualified.domainN node_id: \"text I dont need\"
     Property: \"text I dont need\"" 
 | rex field=message max_match=0 "(?<hostname>.*)\snode_id"