For every event in the SPLUNK, I have set the RE for host field. In general all the input to Splunk is of the form: rdnglagos010-1-1.Fa0-1.ncr.com, hence I set the RE as (?\w+-\d+-\d.+) while indexing the data. Now, apart from this, I also have input of the form: fusxpowtc1.eth-s4p1, hence I set the RE as (?\w+..+). When I combine them as (?\w+-\d+-\d.+)| (?\w+..+), I get the correct output for fuspowtc1.eth-s4p1 but for other one it displays as 1.ncr.com.
Can someone help me in writing a single RE such that host field should display correct output.
Let me know if you need any more information.
Still it is not working for me. I executed the RE that you gave.
It displays the output as rdnglagos010-1-1.Fa0-1.ncr.com in the host field which is correct but for the other one it displays the VM name in the host field rather than fusxpowtc1.eth-s4p1.
What can I do?
Try this run-anywhere search. Field h2 should match the second host name. If it does not then there is something wrong in your search.
| makeresults 2 | eval host="fusxpowtc1.eth-s4p1" | rex field=host "(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)" | table host h1 h2