- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract via rex a list of hostnames from a blo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get a list of hostnames from a block of text via rex. I know I want the first string of every newline after the string "Please retire the following nodes(s):"
I couldnt solve for that, so I figured just getting all of the text after that string was "close enough" for now. I cannot get that to work right either.
| rex field=description "(?mis)Please retire the following nodes\(s\):\n(?P<hostname>.*).\n"
That doesn't return me anything. I have tried using online testers, and that regex seems to pass. What am I missing?
Plus, if anyone wants to flex their regex-fu and help me just get the first string on every new line vs. solving my "adjusted" problem, that is cool with me too.
Frankly, any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi swangertyler,
based on the provided examples give this a try:
| makeresults
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
hostname2 node_id: \"text I dont need\"
hostname3 node_id: \"text I dont need\"
.
.
.
hostnameN node_id: \"text I dont need\"
Property: \"text I dont need\""
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi swangertyler,
based on the provided examples give this a try:
| makeresults
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
hostname2 node_id: \"text I dont need\"
hostname3 node_id: \"text I dont need\"
.
.
.
hostnameN node_id: \"text I dont need\"
Property: \"text I dont need\""
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS. Nailed it. I had to tweak it minorly to get it to work with my real data since my "hostnameM" takes the form of a fully qualified domain name.
| makeresults
| eval message="Please retire the following nodes(s):
fully.qualified.domain1 node_id: \"text I dont need\"
fully.qualified.domain2 node_id: \"text I dont need\"
fully.qualified.domain3 node_id: \"text I dont need\"
.
.
.
fully.qualified.domainN node_id: \"text I dont need\"
Property: \"text I dont need\""
| rex field=message max_match=0 "(?<hostname>.*)\snode_id"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the "block of text" takes the following form.
Please retire the following nodes(s):
hostname1 node_id: "text I dont need"
hostname2 node_id: "text I dont need"
hostname3 node_id: "text I dont need"
.
.
.
hostnameN node_id: "text I dont need"
Property: "text I dont need"
~~~
and what I would like is a list
hostname1
hostname2
.
.
.
hostnameN
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
