Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a new field that contains the domain name for machines on the network?

ngb
Engager
‎11-28-2016 03:28 AM

Hi,

I'm importing data from Nmap and would like to get the full domain name for the machines on the network.
The output looks like that:

<elem key="date">2016-11-27T13:01:38+01:00</elem>
<elem key="fqdn">XXXXXXXXX.mydomain.domain.com</elem>
<elem key="domain_dns">mydomain.domain.com</elem>
<elem key="forest_dns">domain.com</elem>
<elem key="workgroup">XXX\x00</elem>

Is it possible to extract a new field which contains only the text between <elem key="fqdn"> and </elem>.

On Linux I am able to do this with a script, but I am currently testing it on Windows.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-28-2016 07:47 AM

Please try this as the one which will extract the domain name between <elem key="fqdn">XXXXXXXXX.mydomain.domain.com</elem> in a field called fullDomainName

your query to return you the event containing the data
| rex field=_raw "\<elem\skey=\"fqdn\"\>(?<fullDomainName>[^\<]+)<\/elem\>"
| table fullDomainName

See extraction here

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-28-2016 07:47 AM

Please try this as the one which will extract the domain name between <elem key="fqdn">XXXXXXXXX.mydomain.domain.com</elem> in a field called fullDomainName

your query to return you the event containing the data
| rex field=_raw "\<elem\skey=\"fqdn\"\>(?<fullDomainName>[^\<]+)<\/elem\>"
| table fullDomainName

See extraction here

Reply
Solved! Jump to solution

ngb
Engager
‎12-15-2016 08:20 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-28-2016 04:39 AM

Hi @ngb, welcome to Splunk Answers!

Yes, here's your regular expression to do that.. The field will be called "Domain".. You can easily change the field name by editing the value between < ... > .. Also to clarify, the ... | is your base search

... | rex elem\skey\=\"(?P<Domain>\w+)

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-02-2016 05:02 AM

@ngb, did this help solve your problem? If so can you accept the answer and close it?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...