Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create two new fields from a single field?

bt149
Path Finder
‎03-24-2023 06:28 AM

I have a log set from FW's. These logs have a field called "src."  From what I can tell, this field is populated with values such as:
FQDN (myhost.mydomain.com)
Console or telnet
10.0.0.1

I'm looking to have two fields created from the "src" field, one name IP if the value in "src" is an IP and "src_nt_host" if the value is not an ip_address.  A small sample from the logged event:

From: Console or telnet.
From: myhost.mydomain.com.
From: 10.0.0.1.

Any help / guidance is greatly appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2023 11:32 PM

HI @bt149 ,

Sorry, please try this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isnull(ip),src,"")

that I tested

gcusello_0-1679725939051.png

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

bt149
Path Finder
‎03-24-2023 07:25 AM

Thank you but that didn't do the trick.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2023 11:32 PM

HI @bt149 ,

Sorry, please try this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isnull(ip),src,"")

that I tested

gcusello_0-1679725939051.png

Ciao.

Giuseppe

Reply
Solved! Jump to solution

bt149
Path Finder
‎03-25-2023 05:02 AM

Thank you Giuseppe!  This worked well.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2023 06:41 AM

Hi @bt149 ,

you could try something like this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isempty(ip),src,"")
| ...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...