Re: Extract host name from FQDN while searching.

Ravan · ‎02-07-2012

Hi,

How can we extract hostname from FQDN at runtime(Need to include with in the query)

Ex: myhost.domain.com (OR) myhost.subdomain.maindomain.com

we need only myhost here ...

kristian_kolb · ‎02-07-2012

Hi there,

I am assuming that you want to extract the hostname into a new field (since 'host' is a field that is always set). Just getting the host part of a FQDN is pretty straightforward (assuming that your field is called "FQDN");

... | rex field=FQDN "(?<host_name>[^.]+)\." | table host_name

and you can start using the new field straight away, as indicated above.

hope this helps,

Kristian

Ravan · ‎02-07-2012

in this case i have three fields (host,ip,os) , and we need to set the values in same "host"field.

Actual data :
host ip os
mywi2.R2.devel.in.com win
pctx1.R2.devel.in.com win
masymf.R1.prod.in.com win
swgdas.R2.devel.in.com win
dass.R2.devel.in.com win
swssch.R2.devel.in.com win

lguinn2 · ‎02-07-2012

In order to help, we need to know more about the data - an example of the actual data (with identifying information anonymized) would be helpful. Also, are you talking about setting the value of the host field, or do you want to create a different field?

I assume that different events in the same input stream could have different hostnames.

Extract host name from FQDN while searching.

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

Are you a member of the Splunk Community?

Extract host name from FQDN while searching.

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos