Hello Again,
We have an index = network which isn't setup at host level so, we do not have accuracy using hosts field. I have to look in the events and get the list from it :(. This is what the events look like
event 1: May 1 10:20:37 3.9.128.37 May 1 14:24:50 **slot1/ISSvsXUSalpdc01a* debug apd[9979]: 01490024:7: a24c56dc: LDAP module: LEAVE Function queryLDAP*.
event 2: Apr 30 06:59:36 **xbtssyslog1.ae.xy.com* EOGfeEGBwalke01 Apr 30 2014 06:59:36 EOGfeEGBwalke01 : %ASA-5-304001: 10.168.3.11 Accessed URL ##12.30.128.137:ww.theminiforum.xx.xy/
So, it's pretty much the third word i need from every log event(This example: "slot1/ISSvsXUSalpdc01a" & "xbtssyslog1.ae.xy.com"
I tried delim="" to see if it splits(no luck). Please advice.
Thanks in advance.
Raghav
First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.
But to get the host field out of already indexed data, you could do this
index=network
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"
I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname
to distinguish it from the default host
field.
The key is to find commonalities among your events and then write a regex that extracts the desired data from them. I see no such commonalities in your examples. The host names are the 8th and 4th words, respectively, so word count doesn't work. Nor do I see any other anchor that can be used to find the host name in each event. Perhaps you can use source or sourcetype to determine which of several regex's to apply to the associated event.
A better approach would be to parse the events as they are indexed so the fields are available at search time.
First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.
But to get the host field out of already indexed data, you could do this
index=network
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"
I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname
to distinguish it from the default host
field.
It's a bit complicated. I'll try, but I suggest "Teach Yourself Regular Expressions in 10 Minutes" or http://regular-expressions.info or any old Perl book you might have around.
EITHER dd:dd:dd anything dd:dd:dd
OR anything dd:dd:dd
FOLLOWED BY the field hostname, which is a string of characters, terminated by whitespace
That worked like a charm. Could you please explain the rex you provided? i have more scenarios like this and can't figure out how it's getting to the host.