Solved: Extracting selected hosts with regex / Regex hosts...

lemikg · ‎02-25-2013

Hi Splunkers,

I am trying to extract the hosts via regex.

host="*" | regex host="([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}" | dedup host | table host | sort -host

The problem is that some hosts have a name and some of them come with the full domain name.

For example:

host

xd-test-app05.abc-xz.com

xd-test-app04.abc-xz.com

xd-test-app03

xd-test-app03.abc-xz.com

xd-test-app02

xd-test-app02.abc-xz.com

xd-test-app01.abc-xz.com

xd-shared-db01.abc-xz.com

xd-qa-app08.abc-xz.com

Is there a way to add an exception to my regex?

Thanks in advance for your help.

regards
Mike

jonuwz · ‎02-25-2013

If they're all from the same domain

host="*" | rex field=host "^(?<host>[^.]+)" | dedup host | table host | sort -host

View solution in original post

jonuwz · ‎02-25-2013

If they're all from the same domain

host="*" | rex field=host "^(?<host>[^.]+)" | dedup host | table host | sort -host

martin_mueller · ‎02-25-2013

A lot of the expression was lost in the formatting, now (amongst other things) the period is escaped properly.

lemikg · ‎02-25-2013

Hi, I can't answer the question regarding The "." in my capture group since I just copied that from an example. St this point I can't provide Any sourcedata since i am not in The office any more. But The source is nothing special Art all.

mikelanghorst · ‎02-25-2013

What does the source data look like, are they all fqdn's? Why do you have . in your capture group, as that should match any character.

Extracting selected hosts with regex / Regex hosts with exceptions

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform