Monitoring Splunk

how do I specify a search where different fields for hostA and hostB when they are identified as IP addresses

reneedeleon
Engager

how do I specify a search where different fields for hostA and hostB when they are identified as IP addresses

I want to only pull stats for hostA and hostB when they are only identified as IP addresses and other specific names

index=stuff* blah OR blahblah  
| fillnull value=NULL hostA, hostB
| where match(hosA,"(\d{1,3}\.}{3}\d{1,3})")
| where match(hostB,"(\d{1,3}\.}{3}\d{1,3})")
| stats count by hostA, hostB

and

index=stuff* blah OR blahblah  
| fillnull value=NULL hostA, hostB
| regex hostA="^(\d{1,3}\.}{3}\d{1,3}).*"
| regex hostB="^(\d{1,3}\.}{3}\d{1,3}).*"
| stats count by hostA, hostB

I have tried both and neither turn up results am I taking the right approach?

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=stuff* blah OR blahblah  
| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")
| fillnull value="NULL" hostA, hostB
| stats count BY hostA hostB

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=stuff* blah OR blahblah  
| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")
| fillnull value="NULL" hostA, hostB
| stats count BY hostA hostB
0 Karma

reneedeleon
Engager

Thank you, but I had to make a small change.

| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")

0 Karma

woodcock
Esteemed Legend

I fixed my answer, too. I initially copied yours in your question and it is broken there, too.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...