Splunk Search

Parsing host names when a single rex doesn't fit all possible character combinations

interloper
Engager

Is this even possible?! Any help will be appreciated.

I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.).

For example (these host names are simplified to illustrate the problem):

1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS”

2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB”

3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC”

The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events.

We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention.

For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.

Labels (5)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @interloper ,

using the following regex, you can extract campus_site_code and  function fields that you can use for your checks:

| rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)"

you can check this regex at https://regex101.com/r/3rZhAE/1

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...