Solved: Re: extract host name from field

splunkuseradmin · ‎03-26-2019

Hi everybody

I wanted to extract all hostname from this field "local_address" and save in a new field call "host" so that i only get the hostnames after "@"
I believe we can do it by "search | spath | rex field=local_address "@(?P[^-]+)"| stats count by _time host"
please corerct this.
below is the exact field

local_address
14081300@abc3-def-ghi1101.jklm.opqr.com
13546330@wer2-gre-oug1201.jklm.opqr.com
thanks

harsmarvania57 · ‎03-26-2019

Hi,

You can try below search

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\h]*)"
| stats count by ext_host,_time

View solution in original post

harsmarvania57 · ‎03-26-2019

Hi,

You can try below search

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\h]*)"
| stats count by ext_host,_time

harsmarvania57 · ‎03-26-2019

If local_address is multi-valued field then you can try below query

<yourBaseSearch>
| spath
| rex field=local_address "\@(?<ext_host>[^\v]*)" max_match=0
| mvexpand ext_host

extract host name from field

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

extract host name from field

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?