Splunk Search

Extract via rex a list of hostnames from a block of text

swangertyler
Explorer

I am trying to get a list of hostnames from a block of text via rex. I know I want the first string of every newline after the string "Please retire the following nodes(s):"

I couldnt solve for that, so I figured just getting all of the text after that string was "close enough" for now. I cannot get that to work right either.

| rex field=description "(?mis)Please retire the following nodes\(s\):\n(?P<hostname>.*).\n"

That doesn't return me anything. I have tried using online testers, and that regex seems to pass. What am I missing?

Plus, if anyone wants to flex their regex-fu and help me just get the first string on every new line vs. solving my "adjusted" problem, that is cool with me too.

Frankly, any help is appreciated.

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

swangertyler
Explorer

MuS. Nailed it. I had to tweak it minorly to get it to work with my real data since my "hostnameM" takes the form of a fully qualified domain name.

 | makeresults 
 | eval message="Please retire the following nodes(s):
 fully.qualified.domain1 node_id: \"text I dont need\"
     fully.qualified.domain2 node_id: \"text I dont need\"
     fully.qualified.domain3 node_id: \"text I dont need\"
     .
 .
 .
 fully.qualified.domainN node_id: \"text I dont need\"
     Property: \"text I dont need\"" 
 | rex field=message max_match=0 "(?<hostname>.*)\snode_id"
0 Karma

swangertyler
Explorer

the "block of text" takes the following form.

Please retire the following nodes(s):
hostname1 node_id: "text I dont need"
hostname2 node_id: "text I dont need"
hostname3 node_id: "text I dont need"
.
.
.
hostnameN node_id: "text I dont need"
Property: "text I dont need"
~~~

and what I would like is a list
hostname1
hostname2
.
.
.
hostnameN

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>