Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction - Hostname with inconsistent

jpsheridan
Engager
‎10-22-2020 10:32 AM

I'm trying to do a field extraction for a hostname field that has some inconsistency with the format.

There are two types of formats for the hostname field and they can be in upper or lower, i need them in lower.

DOMAIN\hostname or hostname.xxxx.xx.xxx

Previously, I was replacing what I didn't want in that field , lowering that eval in order to join to a lookup table. What I'm trying to do now is a field extraction from that hostname field check for both formats and then removes DOMAIN\ or the .xxxxx.xx.xxx fqdn format from the end.


My REX commands that I'm using:

| rex field=hostname "DOMAIN\\\(?P<ComputerName>.*)"

|rex field=hostname "^(?<ComputerName>[^\.]+)"

Any help would be appreciated!

Labels (2)
Labels
Reply

vnravikumar
Champion
‎10-23-2020 02:31 AM

Hi

Try this

| makeresults 
| eval hostname = "DOMAIN\host1,host2.xxxx.xx.xxxx" 
| makemv delim="," hostname 
| mvexpand hostname 
| rex field=hostname "(DOMAIN\\\){0,1}(?P<host>[^.]+)"
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 12:16 PM

What results are you getting from your current search?  What results do you want?

It would help to see some sample data.

---
If this reply helps you, Karma would be appreciated.
Reply

jpsheridan
Engager
‎10-22-2020 01:06 PM

I will get a mix of hostnames in these two formats:

DOMAIN\hostname

hostname.xxxxx.xx.xxxx

DOMAIN and the x's are just from their fqdn. Some are upper and some are lower and the source is coming from a 3rd party system. I just want to pull the hostname in lower case for a field extraction.

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-23-2020 02:01 AM

What is wrong with the two rex you already have (apart from perhaps too many backslashes?)?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...