Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting data from host field into a new field

amontero86
New Member
‎01-16-2015 09:37 AM

I am trying to extract data from the host field as the name of the host gives information about the location and where in that location something exists.

Example: host="BUSINESS_PRODUCTION_NYC_ST06"

In the example above I want to Pull out NYC and put it into a City field. Which I have tried doing that using the following

| rex field=host "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

however when I run that search I do not see the new City field. However if try that using a different field it seems to work.

| eval host2="BUSINESS_PRODUCTION_NYC_ST02" | rex field=host2 "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

Am I missing something or is this a bug? ( I am using 6.2.0)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:24 AM

Thanks looking at your example I realized that I was using underscores instead of dashes. Its always the simple answers smh. Thanks for your time.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:25 AM

Enjoy. Cheerrss!

V
0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:16 AM

Hi, Try this, |stats count | eval
host2="BUSINESS_PRODUCTION_NYC_ST02" |
rex field=host2
"BUSINESS_PRODUCTION_(?.)_ST"
| table host2,City

Cheerrss!

I am not sure why I can't see this response on this page. The query I posted that operates on host2 works without any problems. However when I apply the query to the host field it does not work.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:22 AM

I have deleted and re posted the answer.

V
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-16-2015 10:00 AM

Was the difference in the above to extraction expressions "\w" vs "\w+" intended? I have seen similar questions and note that it should work the same on indexed fields as well as extracted or _raw data.

0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:02 AM

Nope that is what happens when you type rather than copy sorry.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top