Archive

Combining 2 RE into single RE

Explorer

Hi,

For every event in the SPLUNK, I have set the RE for host field. In general all the input to Splunk is of the form: rdnglagos010-1-1.Fa0-1.ncr.com, hence I set the RE as (?\w+-\d+-\d.+) while indexing the data. Now, apart from this, I also have input of the form: fusxpowtc1.eth-s4p1, hence I set the RE as (?\w+..+). When I combine them as (?\w+-\d+-\d.+)| (?\w+..+), I get the correct output for fuspowtc1.eth-s4p1 but for other one it displays as 1.ncr.com.

Can someone help me in writing a single RE such that host field should display correct output.

Let me know if you need any more information.

Regards,
Sushma.

Tags (2)
0 Karma

Explorer

Hi somesoni2,

I am trying to extract these fields from raw data itself.

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

You would need to setup a boundary of some sort so that combined regex works. Can you post a sample event for each type of host format? Scrub any sensitive data before posting.

0 Karma

SplunkTrust
SplunkTrust

You're trying to extract these fields from raw data or any other field? Can we have some sample entries? DIfferent regex is required for both the cases.

0 Karma

SplunkTrust
SplunkTrust

This works for me in regex101.com

(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Hi,

Ran the above search and fusxpowtc1.eth-s4p1 displayed under host field where as the fileds h1 and h2 are empty.

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

We really need a more complete example of the _raw to help you work this out.

0 Karma

SplunkTrust
SplunkTrust

What version of Splunk are you using? Please copy-and-paste your search as code so we can see it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Hi,

Still it is not working for me. I executed the RE that you gave.

It displays the output as rdnglagos010-1-1.Fa0-1.ncr.com in the host field which is correct but for the other one it displays the VM name in the host field rather than fusxpowtc1.eth-s4p1.

What can I do?

Regards,
Sushma.

0 Karma

SplunkTrust
SplunkTrust

Try this run-anywhere search. Field h2 should match the second host name. If it does not then there is something wrong in your search.

| makeresults 2 | eval host="fusxpowtc1.eth-s4p1" | rex field=host "(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)" | table host h1 h2
---
If this reply helps you, an upvote would be appreciated.
0 Karma