Splunk Search

Parsing host names when a single rex doesn't fit all possible character combinations


Is this even possible?! Any help will be appreciated.

I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.).

For example (these host names are simplified to illustrate the problem):

1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS”

2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB”

3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC”

The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events.

We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention.

For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.

Labels (5)
0 Karma


Hi @interloper ,

using the following regex, you can extract campus_site_code and  function fields that you can use for your checks:

| rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)"

you can check this regex at https://regex101.com/r/3rZhAE/1



0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...