Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract domain from FQDN in Windows Event log

bkcarter
Path Finder
‎10-25-2012 10:33 PM

I need to create a transform stanza that will seperate some events depending on which domain they originate from.

The are in Windows Forwarded Event logs.
I have the props.conf and transform.conf all complete except for the regex.

The line I need to extract from is:

ComputerName=machine.domain.local

"domain.local" is what I need to check against. It may be "domain.local" in one event, but "newdomain.com" in another event. My transforms need to put these different events into different indexes.

I am having a difficult time understanding how to apply the REGEX expression.

If I use the web base field extraction in Splunk, it gives me the following expression:

(?i).*?\.(?P<FIELDNAME>\w+\.\w+)

I am not sure how I translate this into the transform.conf stanza.

Any help would be greatly appreciated!

Tags (1)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎10-26-2012 10:33 AM

bkcarter, you might want to test this in your Splunk search using the rex command like so:

|rex field=_raw ".*ComputerName=machine\.(?<myFieldName>\w+\.\w+)"

If you are not sure what the ComputerName or machine name is going to be then try: 

|rex field=_raw ".*=\w+\.(?<myFieldName>\w+\.\w+)"

The trouble with not being as specific here is that this regex will match anything that has a word with three periods after an equal sign (e.g. =my.random.string). If you can be more specific about either the ComputerName or the machine part of the regex, then you will want to do so.

In the transforms stanza you would simply put:

REGEX = .*=machine\.(?<myFieldName>\w+\.\w+)

You could also copy and paste most of the line from the interactive field extractor that you have above as the regex is pretty similar:

REGEX = .*?\.(?P<FIELDNAME>\w+\.\w+)

Hope that helps, and please don't forget to vote!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...