Splunk Search

How to Extract substring from Splunk String using regex

user9025
Path Finder
 

I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com".

I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction?

Basically I have been given a string, and want to skip two dots and then take the four characters after that.

 

Labels (3)
0 Karma

user9025
Path Finder

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

 

 

 

 

 

 

 

0 Karma

gcusello
Legend

Hi @user9025,

please try this:

| rex field=hostname "^\w+\.\w+\.(?<my_host>\w{4})"

that you can test at https://regex101.com/r/fWR8LV/1

Ciao.

giuseppe

0 Karma

user9025
Path Finder

Thanks for reply but hostname is not available as a raw text.Its a filed, that can be referred by"host" directly,If i click on event, I see one field name as "host".

 

So in my splunk query, I can directly refer "host" without rex field.Following is how my event looks like:

 

INFO  2022-02-14T02:16:15,129 servername requestid=asds This is my log info
  • host =Hostname
  • source =logfilename

I am looking something, extract_regex(string,regex) where i can pass extract_regex(host,REGEX), 

i tried to replace REGEX with yours, but it does not work

0 Karma

gcusello
Legend

Hi @user9025,

if you haven't the field hostname, search the regex on the _raw

| rex "^\w+\.\w+\.(?<my_host>\w{4})"

Ciao.

Giuseppe

0 Karma

user9025
Path Finder

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...