Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract fields from the logs

mariamathewtel
Explorer
‎09-23-2020 07:31 AM

Hi All,

I am having a set of logs from one of my ticketing system.  I want to extract the Host name of the device that caused issue from the description. 

Critical_DISK: ABC - /var is at 99 % .
Critical_DISK: DEF - /var/log is at 85 % .
Critical_DISK: GHI - /var/log is at 90 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 73 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 85 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 87 % .
Critical_DISK: hkgtelpac-sg1.hkg2.oss - /var/log is at 85 % .
[VMware vCenter - Alarm alarm.HostConnectivityAlarm] Host abcdefgh.in.reach.com in TGCN_PAD is not responding
[zenoss] AB-CD-EFG 10.111.122.33 is DOWN!
[zenoss] QWERTYU disk space threshold: 98.1% used (8.1GB free)
[zenoss] asedfrt 10.20.30.40 is DOWN!

 

These are some sample description. 

I used this rex statement : | rex field=_raw "^[^\\]\\n]*\\]\\s+(?P<HostName>\\w+)" 
but it is not properly extracting the hostname. 

Can someone please help me with this. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2020 08:01 AM

Try this rex command.

 

| rex "[:\]]\s(?:Host\s)?(?<HostName>\S+)"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2020 07:45 AM

Which part of those events (I assume they're separate events) is the host name?  I see at least 3 different ways to identify the host.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mariamathewtel
Explorer
‎09-23-2020 09:54 PM

Hi @richgalloway ,

Thanks for the reply. Host names are the highlighted bold ones. 

Critical_DISK: ABC - /var is at 99 % .
Critical_DISK: DEF - /var/log is at 85 % .
Critical_DISK: GHI - /var/log is at 90 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 73 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 85 % .
Critical_DISK: JKL-MNO-PQR - /var/log is at 87 % .
Critical_DISK: hkgtelpac-sg1.hkg2.oss - /var/log is at 85 % .
[VMware vCenter - Alarm alarm.HostConnectivityAlarm] Host abcdefgh.in.reach.com in TGCN_PAD is not responding
[zenoss] AB-CD-EFG 10.111.122.33 is DOWN!
[zenoss] QWERTYU disk space threshold: 98.1% used (8.1GB free)
[zenoss] asedfrt 10.20.30.40 is DOWN!

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...