Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Extract substring from Splunk String using regex

user9025
Path Finder
‎02-14-2022 02:16 AM
 

I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com".

I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction?

Basically I have been given a string, and want to skip two dots and then take the four characters after that.

 

Labels (3)
Labels
0 Karma
Reply

user9025
Path Finder
‎02-14-2022 03:31 AM

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

 

 

 

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 02:21 AM

Hi @user9025,

please try this:

| rex field=hostname "^\w+\.\w+\.(?<my_host>\w{4})"

that you can test at https://regex101.com/r/fWR8LV/1

Ciao.

giuseppe

0 Karma
Reply

user9025
Path Finder
‎02-14-2022 02:38 AM

Thanks for reply but hostname is not available as a raw text.Its a filed, that can be referred by"host" directly,If i click on event, I see one field name as "host".

 

So in my splunk query, I can directly refer "host" without rex field.Following is how my event looks like:

 

INFO  2022-02-14T02:16:15,129 servername requestid=asds This is my log info
  • host =Hostname
  • source =logfilename

I am looking something, extract_regex(string,regex) where i can pass extract_regex(host,REGEX), 

i tried to replace REGEX with yours, but it does not work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 03:02 AM

Hi @user9025,

if you haven't the field hostname, search the regex on the _raw

| rex "^\w+\.\w+\.(?<my_host>\w{4})"

Ciao.

Giuseppe

0 Karma
Reply

user9025
Path Finder
‎02-14-2022 03:31 AM

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...