Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract domain from FQDN in Windows Event log

bkcarter
Path Finder
‎10-25-2012 10:33 PM

I need to create a transform stanza that will seperate some events depending on which domain they originate from.

The are in Windows Forwarded Event logs.
I have the props.conf and transform.conf all complete except for the regex.

The line I need to extract from is:

ComputerName=machine.domain.local

"domain.local" is what I need to check against. It may be "domain.local" in one event, but "newdomain.com" in another event. My transforms need to put these different events into different indexes.

I am having a difficult time understanding how to apply the REGEX expression.

If I use the web base field extraction in Splunk, it gives me the following expression:

(?i).*?\.(?P<FIELDNAME>\w+\.\w+)

I am not sure how I translate this into the transform.conf stanza.

Any help would be greatly appreciated!

Tags (1)
0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎10-26-2012 10:33 AM

bkcarter, you might want to test this in your Splunk search using the rex command like so:

|rex field=_raw ".*ComputerName=machine\.(?<myFieldName>\w+\.\w+)"

If you are not sure what the ComputerName or machine name is going to be then try: 

|rex field=_raw ".*=\w+\.(?<myFieldName>\w+\.\w+)"

The trouble with not being as specific here is that this regex will match anything that has a word with three periods after an equal sign (e.g. =my.random.string). If you can be more specific about either the ComputerName or the machine part of the regex, then you will want to do so.

In the transforms stanza you would simply put:

REGEX = .*=machine\.(?<myFieldName>\w+\.\w+)

You could also copy and paste most of the line from the interactive field extractor that you have above as the regex is pretty similar:

REGEX = .*?\.(?P<FIELDNAME>\w+\.\w+)

Hope that helps, and please don't forget to vote!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...