Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex refining

Karthikeya
Communicator
‎04-10-2025 04:56 AM

Regex

Please tell me what will be the best and effective way to write regex here:

"vs_name":"v-juniper-uat.opco.sony-443",

Need to extract juniper-uat.opco.sony from every event as FQDN.

I am writing the below regex and it worked. Please tell me is this good or any suggestions you give for more reliable?

|rex "vs_name\"\:\"[^\/]\-(?<fqdn>[^\/]+)\-\d+\"\,"

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-10-2025 07:48 AM

Hi @Karthikeya ,

please try this:

| rex "vs_name\":\"\w-(?<fqdn>.+)-\d+"

that you can test at https://regex101.com/r/TDLukW/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

livehybrid
Super Champion
‎04-10-2025 07:14 AM

Hi @Karthikeya 

Does the following work well for you? This allows v- to be optional:

livehybrid_0-1744294479625.png

 

|makeresults | eval _raw="\"vs_name\":\"v-juniper-uat.opco.sony-443\","
| append [|makeresults | eval _raw="\"vs_name\":\"juniper-uat.opco.sony-443\","]
| rex field=_raw "vs_name\"\s*:\s*\"(?:v-)?(?<fqdn>.+)-\d+"

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

kiran_panchavat
Influencer
‎04-10-2025 05:28 AM

@Karthikeya 

Check this

kiran_panchavat_0-1744288071294.png

 

kiran_panchavat_1-1744288102037.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

Karthikeya
Communicator
‎04-10-2025 05:33 AM

@kiran_panchavat always v is not guaranteed before fqdn as per user

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Influencer
‎04-10-2025 05:36 AM

@Karthikeya 

if the "v-" prefix is not guaranteed, then your regex needs to be updated

kiran_panchavat_0-1744288510817.png

kiran_panchavat_0-1744288651716.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-10-2025 05:18 AM

Hi @Karthikeya ,

if it's runs it's correct!

anyway I'd use this:

| rex "vs_name\"\:\"\w\-(?<fqdn>[^-]+)-\d+"

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

Karthikeya
Communicator
‎04-10-2025 05:32 AM

Hi @gcusello ,

For some reason, the provided regex is not working. Can you please re check?

Karthikeya_0-1744288317890.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-10-2025 07:48 AM

Hi @Karthikeya ,

please try this:

| rex "vs_name\":\"\w-(?<fqdn>.+)-\d+"

that you can test at https://regex101.com/r/TDLukW/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Karthikeya
Communicator
‎04-10-2025 09:05 AM

@gcusello this is working. and how to make this extraction at index time I mean while indexing this field should be extracted? Please guide me.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-10-2025 11:02 PM

Hi @Karthikeya ,

are you sure that you want to apply this extraction at index time?

this means a greater job for indexers and this usually depends on the volume of indexed logs for extractions, how many logs must you index daily and in the peak period?

here, you can find a comparation between the two modes and a description: https://docs.splunk.com/Documentation/Splunk/9.4.1/Indexer/Indextimeversussearchtime 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-10-2025 11:31 AM

Don't use indexed extractions! Unless you have a very good reason for it (if you don't know what reason that would be you probably don't have one). Just define a proper search-time extracted field.

Reply
Solved! Jump to solution

kiran_panchavat
Influencer
‎04-10-2025 11:00 AM

@Karthikeya 

Apply the below configurations for the index time field extractions. 

props.conf

kiran_panchavat_0-1744307883918.png

transforms.conf

kiran_panchavat_1-1744307904610.png

I have uploaded the sample events to my lab environment and applied the above configurations. The fqdn field was successfully extracted. Please refer to the screenshot below

kiran_panchavat_2-1744307958030.png

kiran_panchavat_3-1744308003738.png

 

Sample events:

{"timestamp":"2025-04-10T12:34:56Z", "vs_name":"v-juniper-uat.opco.sony-443", "status":"active"}
{"timestamp":"2025-04-10T12:35:01Z", "vs_name":"qa-nginx-dev.opco.abc-8443", "status":"active"}
{"timestamp":"2025-04-10T12:35:06Z", "vs_name":"prod-apache.opco.xyz-9443", "status":"inactive"}
{"timestamp":"2025-04-10T12:35:10Z", "vs_name":"test-web1.opco.something-8080", "status":"active"}
{"timestamp":"2025-04-10T12:35:15Z", "vs_name":"edge-juniper-uat.opco.sony-443", "status":"active"}

 

NOTE: 

If you use heavy forwarders, the props.conf and transforms.conf changes should be applied to the heavy forwarders instead of the indexers.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top