Solved: extract host name from field

splunkuseradmin · ‎03-26-2019

Hi everybody

I wanted to extract all hostname from this field "local_address" and save in a new field call "host" so that i only get the hostnames after "@"
I believe we can do it by "search | spath | rex field=local_address "@(?P[^-]+)"| stats count by _time host"
please corerct this.
below is the exact field

local_address
14081300@abc3-def-ghi1101.jklm.opqr.com
13546330@wer2-gre-oug1201.jklm.opqr.com
thanks

harsmarvania57 · ‎03-26-2019

Hi,

You can try below search

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\h]*)"
| stats count by ext_host,_time

View solution in original post

harsmarvania57 · ‎03-26-2019

Hi,

You can try below search

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\h]*)"
| stats count by ext_host,_time

harsmarvania57 · ‎03-26-2019

If local_address is multi-valued field then you can try below query

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\v]*)" max_match=0
| mvexpand ext_host

extract host name from field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!