Splunk Search

Parsing host names when a single rex doesn't fit all possible character combinations

interloper
Engager

Is this even possible?! Any help will be appreciated.

I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.).

For example (these host names are simplified to illustrate the problem):

1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS”

2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB”

3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC”

The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events.

We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention.

For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.

Labels (5)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @interloper ,

using the following regex, you can extract campus_site_code and  function fields that you can use for your checks:

| rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)"

you can check this regex at https://regex101.com/r/3rZhAE/1

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...