Splunk Search

How do I extract a Hostname from log where brakes are issue(?)

Engager

Hi all -

I'm struggling to extract the hostname from a Dhcp request from my logs:

Mar 4 15:30:40 192.168.1.1 Mar 4 15:30:40 SecurityGateway dhcpd: execute_statement argv[2] = Nest-C256.Ourhouse

What I'm after is a count of the different hosts, I think its fair to assume they will contain Uppercase/Lowercase/Numbers and or : and .

I've tried all sorts and I can't extract Nest-C256.Ourhouse from the case above, I've tried the following with no result:

Base Search .... | rex "argv[2]s=\s(?.[a-z A-Z,-,.]+)"

What I'd like is a table with a count against each hostname

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+).

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Engager

Guys - Thanks for the quick response for anyone else searching for the same the following worked a treat:

rex "argv[2]\s=\s(?.[\w-.]+)" | stats count by host_value

0 Karma

SplunkTrust
SplunkTrust

Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+).

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this

index=... sourcetype=...
| rex argv\[\d+\]\s=\s(?<host_value>\S+)
| stats count by host_value

Engager

This looked like the bit I was struggling with _argv[2]\s_ but thanks for the additional bits

0 Karma

SplunkTrust
SplunkTrust

This works exactly as expected, I'm not sure why you skipped over this..

0 Karma

Engager

You are right it worked however I was looking to only return those values following 'argv[2] =' and not 'argv' - Both worked I accepted the one which narrowed down my search - I did however use elements from both posts !

0 Karma

SplunkTrust
SplunkTrust

Brush up on your regex.. argv\[\d+\]\s=\s(?<host_value>\S+) applies to argv[2] = perfectly

Feel free to upvote if my answer helped you

0 Karma

Engager

regex is my weak point plus new to Splunk .. I totally see the issue here d+ meaning any digit - The issue was it was returning values for multiple argv[1..2..3..4..5] etc.

Upvoted as you did help

0 Karma