Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting data from host field into a new field

amontero86
New Member
‎01-16-2015 09:37 AM

I am trying to extract data from the host field as the name of the host gives information about the location and where in that location something exists.

Example: host="BUSINESS_PRODUCTION_NYC_ST06"

In the example above I want to Pull out NYC and put it into a City field. Which I have tried doing that using the following

| rex field=host "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

however when I run that search I do not see the new City field. However if try that using a different field it seems to work.

| eval host2="BUSINESS_PRODUCTION_NYC_ST02" | rex field=host2 "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

Am I missing something or is this a bug? ( I am using 6.2.0)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:24 AM

Thanks looking at your example I realized that I was using underscores instead of dashes. Its always the simple answers smh. Thanks for your time.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:25 AM

Enjoy. Cheerrss!

V
0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:16 AM

Hi, Try this, |stats count | eval
host2="BUSINESS_PRODUCTION_NYC_ST02" |
rex field=host2
"BUSINESS_PRODUCTION_(?.)_ST"
| table host2,City

Cheerrss!

I am not sure why I can't see this response on this page. The query I posted that operates on host2 works without any problems. However when I apply the query to the host field it does not work.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:22 AM

I have deleted and re posted the answer.

V
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-16-2015 10:00 AM

Was the difference in the above to extraction expressions "\w" vs "\w+" intended? I have seen similar questions and note that it should work the same on indexed fields as well as extracted or _raw data.

0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:02 AM

Nope that is what happens when you type rather than copy sorry.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...