Splunk Search

How to Extract substring from Splunk String using regex

user9025
Path Finder
 

I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com".

I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction?

Basically I have been given a string, and want to skip two dots and then take the four characters after that.

 

Labels (3)
0 Karma

user9025
Path Finder

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

 

 

 

 

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @user9025,

please try this:

| rex field=hostname "^\w+\.\w+\.(?<my_host>\w{4})"

that you can test at https://regex101.com/r/fWR8LV/1

Ciao.

giuseppe

0 Karma

user9025
Path Finder

Thanks for reply but hostname is not available as a raw text.Its a filed, that can be referred by"host" directly,If i click on event, I see one field name as "host".

 

So in my splunk query, I can directly refer "host" without rex field.Following is how my event looks like:

 

INFO  2022-02-14T02:16:15,129 servername requestid=asds This is my log info
  • host =Hostname
  • source =logfilename

I am looking something, extract_regex(string,regex) where i can pass extract_regex(host,REGEX), 

i tried to replace REGEX with yours, but it does not work

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @user9025,

if you haven't the field hostname, search the regex on the _raw

| rex "^\w+\.\w+\.(?<my_host>\w{4})"

Ciao.

Giuseppe

0 Karma

user9025
Path Finder

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...