Hi all -
I'm struggling to extract the hostname from a Dhcp request from my logs:
Mar 4 15:30:40 192.168.1.1 Mar 4 15:30:40 SecurityGateway dhcpd: execute_statement argv[2] = Nest-C256.Ourhouse
What I'm after is a count of the different hosts, I think its fair to assume they will contain Uppercase/Lowercase/Numbers and or : and .
I've tried all sorts and I can't extract Nest-C256.Ourhouse from the case above, I've tried the following with no result:
Base Search .... | rex "argv[2]s=\s(?.[a-z A-Z,-,.]+)"
What I'd like is a table with a count against each hostname
Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+)
.
Guys - Thanks for the quick response for anyone else searching for the same the following worked a treat:
rex "argv[2]\s=\s(?.[\w-.]+)" | stats count by host_value
Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+)
.
Try this
index=... sourcetype=...
| rex argv\[\d+\]\s=\s(?<host_value>\S+)
| stats count by host_value
This looked like the bit I was struggling with _argv[2]\s_ but thanks for the additional bits
This works exactly as expected, I'm not sure why you skipped over this..
You are right it worked however I was looking to only return those values following 'argv[2] =' and not 'argv' - Both worked I accepted the one which narrowed down my search - I did however use elements from both posts !
Brush up on your regex.. argv\[\d+\]\s=\s(?<host_value>\S+)
applies to argv[2] =
perfectly
Feel free to upvote if my answer helped you
regex is my weak point plus new to Splunk .. I totally see the issue here d+ meaning any digit - The issue was it was returning values for multiple argv[1..2..3..4..5] etc.
Upvoted as you did help