I ave a field "hostname" in splunk logs which is available in my event as "host = server.region.ab1dc2.mydomain.com".
I can refer to host with same name "host" in splunk query. I want to extract the substring with 4 digits after two dots ,for the above example , it will be "ab1d". How my splunk query should look like for this extraction?
Basically I have been given a string, and want to skip two dots and then take the four characters after that.
My existing query looks like follow and it works fine:
index=Myindex sourcetype=app-sourcename "text to search" | eval hostname= substr(host, len(host)-17) | stats count by host
Getting last 17 characters from string host.
Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here
Hi @user9025,
please try this:
| rex field=hostname "^\w+\.\w+\.(?<my_host>\w{4})"
that you can test at https://regex101.com/r/fWR8LV/1
Ciao.
giuseppe
Thanks for reply but hostname is not available as a raw text.Its a filed, that can be referred by"host" directly,If i click on event, I see one field name as "host".
So in my splunk query, I can directly refer "host" without rex field.Following is how my event looks like:
I am looking something, extract_regex(string,regex) where i can pass extract_regex(host,REGEX),
i tried to replace REGEX with yours, but it does not work
Hi @user9025,
if you haven't the field hostname, search the regex on the _raw
| rex "^\w+\.\w+\.(?<my_host>\w{4})"
Ciao.
Giuseppe
My existing query looks like follow and it works fine:
index=Myindex sourcetype=app-sourcename "text to search" | eval hostname= substr(host, len(host)-17) | stats count by host
Getting last 17 characters from string host.
Now i want to do operation on host before it goes to stats ,which is to extract 4 chars from hostname after skipping 2 dots, can u tell how can I modify existing query to do that?I searched sot string manipulation functions, but it does not seem to work here