Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract via rex a list of hostnames from a block of text

swangertyler
Path Finder
‎06-19-2019 01:59 PM

I am trying to get a list of hostnames from a block of text via rex. I know I want the first string of every newline after the string "Please retire the following nodes(s):"

I couldnt solve for that, so I figured just getting all of the text after that string was "close enough" for now. I cannot get that to work right either.

| rex field=description "(?mis)Please retire the following nodes\(s\):\n(?P<hostname>.*).\n"

That doesn't return me anything. I have tried using online testers, and that regex seems to pass. What am I missing?

Plus, if anyone wants to flex their regex-fu and help me just get the first string on every new line vs. solving my "adjusted" problem, that is cool with me too.

Frankly, any help is appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-19-2019 04:35 PM

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-19-2019 04:35 PM

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

swangertyler
Path Finder
‎06-20-2019 07:46 AM

MuS. Nailed it. I had to tweak it minorly to get it to work with my real data since my "hostnameM" takes the form of a fully qualified domain name.

 | makeresults 
 | eval message="Please retire the following nodes(s):
 fully.qualified.domain1 node_id: \"text I dont need\"
     fully.qualified.domain2 node_id: \"text I dont need\"
     fully.qualified.domain3 node_id: \"text I dont need\"
     .
 .
 .
 fully.qualified.domainN node_id: \"text I dont need\"
     Property: \"text I dont need\"" 
 | rex field=message max_match=0 "(?<hostname>.*)\snode_id"
0 Karma
Reply
Solved! Jump to solution

swangertyler
Path Finder
‎06-19-2019 02:05 PM

the "block of text" takes the following form.

Please retire the following nodes(s):
hostname1 node_id: "text I dont need"
hostname2 node_id: "text I dont need"
hostname3 node_id: "text I dont need"
.
.
.
hostnameN node_id: "text I dont need"
Property: "text I dont need"
~~~

and what I would like is a list
hostname1
hostname2
.
.
.
hostnameN

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...