topic Re: Get the network server names from the _raw events in Splunk Search

Get the network server names from the _raw events

Raghav2384 — Mon, 28 Sep 2020 16:30:51 GMT

Hello Again,
We have an index = network which isn't setup at host level so, we do not have accuracy using hosts field. I have to look in the events and get the list from it :(. This is what the events look like

event 1: May 1 10:20:37 3.9.128.37 May 1 14:24:50 **slot1/ISSvsXUSalpdc01a* debug apd[9979]: 01490024:7: a24c56dc: LDAP module: LEAVE Function queryLDAP*.

event 2: Apr 30 06:59:36 **xbtssyslog1.ae.xy.com* EOGfeEGBwalke01 Apr 30 2014 06:59:36 EOGfeEGBwalke01 : %ASA-5-304001: 10.168.3.11 Accessed URL ##12.30.128.137:ww.theminiforum.xx.xy/

So, it's pretty much the third word i need from every log event(This example: "slot1/ISSvsXUSalpdc01a" & "xbtssyslog1.ae.xy.com"

I tried delim="" to see if it splits(no luck). Please advice.
Thanks in advance.
Raghav

Re: Get the network server names from the _raw events

lguinn2 — Thu, 01 May 2014 17:16:04 GMT

First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.

But to get the host field out of already indexed data, you could do this

index=network 
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"

I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname to distinguish it from the default host field.

Re: Get the network server names from the _raw events

richgalloway — Thu, 01 May 2014 17:24:45 GMT

The key is to find commonalities among your events and then write a regex that extracts the desired data from them. I see no such commonalities in your examples. The host names are the 8th and 4th words, respectively, so word count doesn't work. Nor do I see any other anchor that can be used to find the host name in each event. Perhaps you can use source or sourcetype to determine which of several regex's to apply to the associated event.

A better approach would be to parse the events as they are indexed so the fields are available at search time.

Re: Get the network server names from the _raw events

Raghav2384 — Wed, 21 May 2014 15:07:20 GMT

That worked like a charm. Could you please explain the rex you provided? i have more scenarios like this and can't figure out how it's getting to the host.

Re: Get the network server names from the _raw events

lguinn2 — Wed, 21 May 2014 18:44:22 GMT

It's a bit complicated. I'll try, but I suggest "Teach Yourself Regular Expressions in 10 Minutes" or http://regular-expressions.info or any old Perl book you might have around.

EITHER dd:dd:dd anything dd:dd:dd 
OR anything dd:dd:dd
FOLLOWED BY the field hostname, which is a string of characters, terminated by whitespace