Splunk Search

Extract via rex a list of hostnames from a block of text

swangertyler
Explorer

I am trying to get a list of hostnames from a block of text via rex. I know I want the first string of every newline after the string "Please retire the following nodes(s):"

I couldnt solve for that, so I figured just getting all of the text after that string was "close enough" for now. I cannot get that to work right either.

| rex field=description "(?mis)Please retire the following nodes\(s\):\n(?P<hostname>.*).\n"

That doesn't return me anything. I have tried using online testers, and that regex seems to pass. What am I missing?

Plus, if anyone wants to flex their regex-fu and help me just get the first string on every new line vs. solving my "adjusted" problem, that is cool with me too.

Frankly, any help is appreciated.

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

hi swangertyler,

based on the provided examples give this a try:

| makeresults 
| eval message="Please retire the following nodes(s):
hostname1 node_id: \"text I dont need\"
    hostname2 node_id: \"text I dont need\"
    hostname3 node_id: \"text I dont need\"
    .
.
.
hostnameN node_id: \"text I dont need\"
    Property: \"text I dont need\"" 
| rex field=message max_match=0 "(?<hostname>\w+)\snode_id"

Hope this helps ...

cheers, MuS

swangertyler
Explorer

MuS. Nailed it. I had to tweak it minorly to get it to work with my real data since my "hostnameM" takes the form of a fully qualified domain name.

 | makeresults 
 | eval message="Please retire the following nodes(s):
 fully.qualified.domain1 node_id: \"text I dont need\"
     fully.qualified.domain2 node_id: \"text I dont need\"
     fully.qualified.domain3 node_id: \"text I dont need\"
     .
 .
 .
 fully.qualified.domainN node_id: \"text I dont need\"
     Property: \"text I dont need\"" 
 | rex field=message max_match=0 "(?<hostname>.*)\snode_id"
0 Karma

swangertyler
Explorer

the "block of text" takes the following form.

Please retire the following nodes(s):
hostname1 node_id: "text I dont need"
hostname2 node_id: "text I dont need"
hostname3 node_id: "text I dont need"
.
.
.
hostnameN node_id: "text I dont need"
Property: "text I dont need"
~~~

and what I would like is a list
hostname1
hostname2
.
.
.
hostnameN

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...