topic Re: Extracting data from host field into a new field in Splunk Search

Extracting data from host field into a new field

amontero86 — Mon, 28 Sep 2020 18:41:38 GMT

I am trying to extract data from the host field as the name of the host gives information about the location and where in that location something exists.

Example: host="BUSINESS_PRODUCTION_NYC_ST06"

In the example above I want to Pull out NYC and put it into a City field. Which I have tried doing that using the following

| rex field=host "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

however when I run that search I do not see the new City field. However if try that using a different field it seems to work.

| eval host2="BUSINESS_PRODUCTION_NYC_ST02" | rex field=host2 "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

Am I missing something or is this a bug? ( I am using 6.2.0)

Re: Extracting data from host field into a new field

chanfoli — Fri, 16 Jan 2015 18:00:46 GMT

Was the difference in the above to extraction expressions "\w" vs "\w+" intended? I have seen similar questions and note that it should work the same on indexed fields as well as extracted or _raw data.

Re: Extracting data from host field into a new field

amontero86 — Fri, 16 Jan 2015 18:02:07 GMT

Nope that is what happens when you type rather than copy sorry.

Re: Extracting data from host field into a new field

amontero86 — Mon, 28 Sep 2020 18:41:40 GMT

Hi, Try this, |stats count | eval
host2="BUSINESS_PRODUCTION_NYC_ST02" |
rex field=host2
"BUSINESS_PRODUCTION_(?.)_ST"
| table host2,City

Cheerrss!

I am not sure why I can't see this response on this page. The query I posted that operates on host2 works without any problems. However when I apply the query to the host field it does not work.

Re: Extracting data from host field into a new field

vasanthmss — Fri, 16 Jan 2015 18:20:41 GMT

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City

Re: Extracting data from host field into a new field

vasanthmss — Fri, 16 Jan 2015 18:22:44 GMT

I have deleted and re posted the answer.

Re: Extracting data from host field into a new field

amontero86 — Fri, 16 Jan 2015 18:24:16 GMT

Thanks looking at your example I realized that I was using underscores instead of dashes. Its always the simple answers smh. Thanks for your time.

Re: Extracting data from host field into a new field

vasanthmss — Fri, 16 Jan 2015 18:25:24 GMT

Enjoy. Cheerrss!