Splunk Search
Highlighted

Get the network server names from the _raw events

Motivator

Hello Again,
We have an index = network which isn't setup at host level so, we do not have accuracy using hosts field. I have to look in the events and get the list from it :(. This is what the events look like

event 1: May 1 10:20:37 3.9.128.37 May 1 14:24:50 *slot1/ISSvsXUSalpdc01a** debug apd[9979]: 01490024:7: a24c56dc: LDAP module: LEAVE Function queryLDAP*.

event 2: Apr 30 06:59:36 *xbtssyslog1.ae.xy.com** EOGfeEGBwalke01 Apr 30 2014 06:59:36 EOGfeEGBwalke01 : %ASA-5-304001: 10.168.3.11 Accessed URL ##12.30.128.137:ww.theminiforum.xx.xy/

So, it's pretty much the third word i need from every log event(This example: "slot1/ISSvsXUSalpdc01a" & "xbtssyslog1.ae.xy.com"

I tried delim="" to see if it splits(no luck). Please advice.
Thanks in advance.
Raghav

0 Karma
Highlighted

Re: Get the network server names from the _raw events

Legend

First, I would get the indexing fixed. There are many ways to set the host field on inbound data - inputs.conf, props.conf and transforms.conf.

But to get the host field out of already indexed data, you could do this

index=network 
| rex "(?:^.*?\d{2}:\d{2}:\d{2}.*?\d{2}:\d{2}:\d{2}|^.*?\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s"

I am not entirely sure that this will work - it is a fairly complex regular expression. I named the resulting field hostname to distinguish it from the default host field.

View solution in original post

Highlighted

Re: Get the network server names from the _raw events

Motivator

That worked like a charm. Could you please explain the rex you provided? i have more scenarios like this and can't figure out how it's getting to the host.

0 Karma
Highlighted

Re: Get the network server names from the _raw events

Legend

It's a bit complicated. I'll try, but I suggest "Teach Yourself Regular Expressions in 10 Minutes" or http://regular-expressions.info or any old Perl book you might have around.

EITHER dd:dd:dd anything dd:dd:dd 
OR anything dd:dd:dd
FOLLOWED BY the field hostname, which is a string of characters, terminated by whitespace
Highlighted

Re: Get the network server names from the _raw events

SplunkTrust
SplunkTrust

The key is to find commonalities among your events and then write a regex that extracts the desired data from them. I see no such commonalities in your examples. The host names are the 8th and 4th words, respectively, so word count doesn't work. Nor do I see any other anchor that can be used to find the host name in each event. Perhaps you can use source or sourcetype to determine which of several regex's to apply to the associated event.

A better approach would be to parse the events as they are indexed so the fields are available at search time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.