topic Re: Regex Extracting Phonehome client name in Splunk Search

Regex Extracting Phonehome client name

hartfoml — Mon, 21 Oct 2013 15:36:46 GMT

Here are my _internal Phonehome logs for UF client connections:

xxx.xxx.128.89 - - [21/Oct/2013:09:49:47.820 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.128.89_8089_xxx.xxx.128.89_iuppiter.sub.com_ea HTTP/1.0" 200 1226 - - - 45ms xxx.xxx.254.211 - - [21/Oct/2013:09:49:47.470 -0500] "POST /services/broker/phonehome/connection_128.157.254.211_8089_sub-ia-dump1.sub.domain.com_sub-ia-dump01.sub.domain.com_ia HTTP/1.0" 200 1300 - - - 42ms xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.451 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 278 - - - 41ms xxx.xxx.15.201 - - [21/Oct/2013:09:49:47.440 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.15.201_8089_agdl.sub.domain.com_blade014_ea HTTP/1.0" 200 1303 - - - 44ms xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.384 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 2277 - - - 43ms xxx.xxx.94.221 - - [21/Oct/2013:09:49:47.189 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.221_8089_sub-it-bak01a.sub.domain.com_sub-it-bak01a.sub.domain.com_ia HTTP/1.0" 200 278 - - - 41ms xxx.xxx.138.96 - - [21/Oct/2013:09:49:47.161 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.138.96_8089_sub-ia-snlmdc02.sub.domain.com_sub-ia-snlmdc02.ndc.domain.com_ia HTTP/1.0" 200 1302 - - - 42ms xxx.xxx.226.17 - - [21/Oct/2013:09:49:47.158 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.226.17_8089_xxx.xxx.226.17_skynet.sub.domain.com_ea HTTP/1.0" 200 1314 - - - 43ms xxx.xxx.10.12 - - [21/Oct/2013:09:49:47.015 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 278 - - - 101ms xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.920 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 102ms xxx.xxx.10.12 - - [21/Oct/2013:09:49:46.826 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 1075 - - - 101ms xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.735 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 101ms xxx.xxx.94.117 - - [21/Oct/2013:09:49:46.489 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.117_8089_sub-ia-fs01b.sub.domain.com_sub-IA-FS01B_ia HTTP/1.0" 200 1281 - - - 42ms

I want to extract the client host name.
I could use this [ (?i).+phonehome.+_8089_(?P<FIELDNAME>.+?)_ ] but in some cases this produces an IP (see first event in logs above)

I don't know who to get the host name when it is preceded by the client IP first.
Can you help?

Re: Regex Extracting Phonehome client name

richgalloway — Mon, 21 Oct 2013 16:57:22 GMT

I got good results with this regex string

(?i).+phonehome.+8089_(.+_)?(?P<fieldname>.+?)_

A helpful site for testing regex strings is RegexPlanet.

Re: Regex Extracting Phonehome client name

kristian_kolb — Mon, 21 Oct 2013 17:09:54 GMT

An excerpt of the relevant part of some of your events, edited for redability.

_8089_sub-ia-dump1.sub.domain.com          _sub-ia-dump01.sub.domain.com     _ia
_8089_sub-ia-fs01b.sub.domain.com          _sub-IA-FS01B                     _ia
_8089_subb-dacs2.dacs.subb.sub.domain.com  _subb-dacs2                       _w-ra
_8089_xxx.xxx.226.17                       _skynet.sub.domain.com            _ea
_8089_sub-ia-snlmdc02.sub.domain.com       _sub-ia-snlmdc02.ndc.domain.com   _ia
_8089_sub-ia-render02.sub.domain.com       _sub-IA-RENDER02                  _ia
_8089_xxx.xxx.128.89                       _iuppiter.sub.com                 _ea

It seems that underscore separates the values you're after within the string. (I take it you want the second column above, right?) Then the following regex should work for you;

index=_internal phonehome | rex "_8089_[^_]+_(?<myfield>[^_]+)_" | ...

UPDATE:

I believe this should work, i.e. if the first part is an IP address, it will skip over to the next part.

index=_internal phonehome | rex "_8089_(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_)?(?<myfield>[^_]+)_" | ...

Hope this helps,

Re: Regex Extracting Phonehome client name

hartfoml — Mon, 21 Oct 2013 17:27:15 GMT

Thanks Kristian this helps.

Like I said above I was hoping to get the FQDN.

Thanks for the help.

Re: Regex Extracting Phonehome client name

kristian_kolb — Mon, 21 Oct 2013 17:33:18 GMT

you want the first 'column' but only if it's a FQDN, otherwise take 'column' 2, so to speak?

Re: Regex Extracting Phonehome client name

kristian_kolb — Mon, 21 Oct 2013 17:55:51 GMT

see update above