Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Extract substring from Splunk String using regex

user9025
Path Finder
‎02-14-2022 02:16 AM
 

I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com".

I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction?

Basically I have been given a string, and want to skip two dots and then take the four characters after that.

 

Labels (3)
Labels
0 Karma
Reply

user9025
Path Finder
‎02-14-2022 03:31 AM

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

 

 

 

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 02:21 AM

Hi @user9025,

please try this:

| rex field=hostname "^\w+\.\w+\.(?<my_host>\w{4})"

that you can test at https://regex101.com/r/fWR8LV/1

Ciao.

giuseppe

0 Karma
Reply

user9025
Path Finder
‎02-14-2022 02:38 AM

Thanks for reply but hostname is not available as a raw text.Its a filed, that can be referred by"host" directly,If i click on event, I see one field name as "host".

 

So in my splunk query, I can directly refer "host" without rex field.Following is how my event looks like:

 

INFO  2022-02-14T02:16:15,129 servername requestid=asds This is my log info
  • host =Hostname
  • source =logfilename

I am looking something, extract_regex(string,regex) where i can pass extract_regex(host,REGEX), 

i tried to replace REGEX with yours, but it does not work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 03:02 AM

Hi @user9025,

if you haven't the field hostname, search the regex on the _raw

| rex "^\w+\.\w+\.(?<my_host>\w{4})"

Ciao.

Giuseppe

0 Karma
Reply

user9025
Path Finder
‎02-14-2022 03:31 AM

My existing query looks like follow and it works fine:

index=Myindex  sourcetype=app-sourcename "text to search" |  eval hostname= substr(host, len(host)-17) | stats count by host

Getting last 17 characters from string host.

Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...