Splunk Enterprise

Field extraction to capture hostname

pm2012
Explorer

Hi SMEs,

Seeking help on the below field extraction to capture hostname1, hostname2, hostname3 & hostname4

 

Mar 22 04:00:01 hostname1 sudo: root : TTY=unknown ; PWD=/home/installer/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-21 -e Mar\ 21 /var/log/secure

Mar 22 04:00:01 hostname2 sudo: root : TTY=unknown ; PWD=/home/installer/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-21 -e Mar\ 21 /var/log/secure

2024-03-21T23:59:31.143161+05:30 hostname3 caam: [INVENTORY|CaaM-14a669917c4a02f5|caam|e0ded6f4f97c17132995|Dummy-5|INFO|caam_inventory_controller] Fetching operationexecutions filtering with vn_id CaaM-3ade67652a6a02f5 and tenant caam

2024-03-23T04:00:17.664082+05:30 hostname4 sudo: root : TTY=unknown ; PWD=/home/caam/LOG_Transfer ; USER=root ; COMMAND=/bin/bash -c grep -e 2024-03-22 -e Mar\ 22 /var/log/secure.7.gz

 

Labels (1)
Tags (1)
0 Karma

kiran_panchavat
Builder

@pm2012Try this. We can do it in multiple ways.

kiran_panchavat_2-1711993385953.png

 

kiran_panchavat_0-1711993339140.png

 

kiran_panchavat_1-1711993358969.png

 

 

 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma

PaulPanther
Motivator

@pm2012 Try

\d+:\d+\s(?<host>\S+)

 

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...