Splunk Search

Get the network server names from the _raw events

Raghav2384
Motivator

Hello Again,
We have an index = network which isn't setup at host level so, we do not have accuracy using hosts field. I have to look in the events and get the list from it :(. This is what the events look like

event 1: May 1 10:20:37 3.9.128.37 May 1 14:24:50 **slot1/ISSvsXUSalpdc01a* debug apd[9979]: 01490024:7: a24c56dc: LDAP module: LEAVE Function queryLDAP*.

event 2: Apr 30 06:59:36 **xbtssyslog1.ae.xy.com* EOGfeEGBwalke01 Apr 30 2014 06:59:36 EOGfeEGBwalke01 : %ASA-5-304001: 10.168.3.11 Accessed URL ##12.30.128.137:ww.theminiforum.xx.xy/

So, it's pretty much the third word i need from every log event(This example: "slot1/ISSvsXUSalpdc01a" & "xbtssyslog1.ae.xy.com"

I tried delim="" to see if it splits(no luck). Please advice.
Thanks in advance.
Raghav

0 Karma
1 Solution

lguinn2
Legend

First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.

But to get the host field out of already indexed data, you could do this

index=network 
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"

I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname to distinguish it from the default host field.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The key is to find commonalities among your events and then write a regex that extracts the desired data from them. I see no such commonalities in your examples. The host names are the 8th and 4th words, respectively, so word count doesn't work. Nor do I see any other anchor that can be used to find the host name in each event. Perhaps you can use source or sourcetype to determine which of several regex's to apply to the associated event.

A better approach would be to parse the events as they are indexed so the fields are available at search time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lguinn2
Legend

First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.

But to get the host field out of already indexed data, you could do this

index=network 
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"

I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname to distinguish it from the default host field.

lguinn2
Legend

It's a bit complicated. I'll try, but I suggest "Teach Yourself Regular Expressions in 10 Minutes" or http://regular-expressions.info or any old Perl book you might have around.

EITHER dd:dd:dd anything dd:dd:dd 
OR anything dd:dd:dd
FOLLOWED BY the field hostname, which is a string of characters, terminated by whitespace

Raghav2384
Motivator

That worked like a charm. Could you please explain the rex you provided? i have more scenarios like this and can't figure out how it's getting to the host.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...