Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing host names when a single rex doesn't fit all possible character combinations

interloper
Engager
‎11-28-2023 05:40 PM

Is this even possible?! Any help will be appreciated.

I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.).

For example (these host names are simplified to illustrate the problem):

1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS”

2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB”

3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC”

The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events.

We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention.

For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.

Labels (5)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-28-2023 09:00 PM

Hi @interloper ,

using the following regex, you can extract campus_site_code and  function fields that you can use for your checks:

| rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)"

you can check this regex at https://regex101.com/r/3rZhAE/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Machine Learning - Assisted Adaptive Thresholding

Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...