Splunk Search
Highlighted

Extracting selected hosts with regex / Regex hosts with exceptions

Communicator

Hi Splunkers,

I am trying to extract the hosts via regex.

host="*" | regex host="([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}" | dedup host | table host | sort -host

The problem is that some hosts have a name and some of them come with the full domain name.

For example:

host
xd-test-app05.abc-xz.com
xd-test-app04.abc-xz.com
xd-test-app03
xd-test-app03.abc-xz.com
xd-test-app02
xd-test-app02.abc-xz.com
xd-test-app01.abc-xz.com
xd-shared-db01.abc-xz.com
xd-qa-app08.abc-xz.com

Is there a way to add an exception to my regex?

Thanks in advance for your help.

regards
Mike

Highlighted

Re: Extracting selected hosts with regex / Regex hosts with exceptions

Motivator

What does the source data look like, are they all fqdn's? Why do you have . in your capture group, as that should match any character.

0 Karma
Highlighted

Re: Extracting selected hosts with regex / Regex hosts with exceptions

Communicator

Hi, I can't answer the question regarding The "." in my capture group since I just copied that from an example. St this point I can't provide Any sourcedata since i am not in The office any more. But The source is nothing special Art all.

0 Karma
Highlighted

Re: Extracting selected hosts with regex / Regex hosts with exceptions

SplunkTrust
SplunkTrust

A lot of the expression was lost in the formatting, now (amongst other things) the period is escaped properly.

0 Karma
Highlighted

Re: Extracting selected hosts with regex / Regex hosts with exceptions

Influencer

If they're all from the same domain

host="*" | rex field=host "^(?<host>[^.]+)" | dedup host | table host | sort -host

View solution in original post