Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting data from host field into a new field

amontero86
New Member
‎01-16-2015 09:37 AM

I am trying to extract data from the host field as the name of the host gives information about the location and where in that location something exists.

Example: host="BUSINESS_PRODUCTION_NYC_ST06"

In the example above I want to Pull out NYC and put it into a City field. Which I have tried doing that using the following

| rex field=host "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

however when I run that search I do not see the new City field. However if try that using a different field it seems to work.

| eval host2="BUSINESS_PRODUCTION_NYC_ST02" | rex field=host2 "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

Am I missing something or is this a bug? ( I am using 6.2.0)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:24 AM

Thanks looking at your example I realized that I was using underscores instead of dashes. Its always the simple answers smh. Thanks for your time.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:25 AM

Enjoy. Cheerrss!

V
0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:16 AM

Hi, Try this, |stats count | eval
host2="BUSINESS_PRODUCTION_NYC_ST02" |
rex field=host2
"BUSINESS_PRODUCTION_(?.)_ST"
| table host2,City

Cheerrss!

I am not sure why I can't see this response on this page. The query I posted that operates on host2 works without any problems. However when I apply the query to the host field it does not work.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:22 AM

I have deleted and re posted the answer.

V
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-16-2015 10:00 AM

Was the difference in the above to extraction expressions "\w" vs "\w+" intended? I have seen similar questions and note that it should work the same on indexed fields as well as extracted or _raw data.

0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:02 AM

Nope that is what happens when you type rather than copy sorry.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...