Splunk Search

Separate a field value and use the parts to make a new field

Motivator

Separate a field values and use the parts to make a new field.
My host names have four components in the name separated by a dash:

i.e. "location-group-function-number.domain.com"

I would like to separate the parts of the name and recombine them as:

"Loc-num"

I used this regex to go from the FWDN to the netbios name:

rex field=host "^(?<name>.+)\.domain\.com"

I tried using the makemv delim=”-“ name
but this just gives me more values for “name”

I though of using three regex functions one to each part then use strcat to put them back together but this seems a bit to much code for a simple task

I have this format: host=”Loc-Grp-Func-##.domain.com”

For readability on the report I would like: name=”Loc-##”

Any suggestions would be helpful

Tags (3)
1 Solution

SplunkTrust
SplunkTrust

This should do:

| stats count | eval host = "location-group-function-number.domain.com" | rex field=host "^(?<location>[^-]+)-(?<group>[^-]+)-(?<function>[^-]+)-(?<number>[^.]+)" | eval name = location."-".number

Once happy you can move the rex to a field extraction by going to Settings -> Fields -> Field Extractions -> New and entering this (note the "in host"!):

^(?<location>[^-]+)-(?<group>[^-]+)-(?<function>[^-]+)-(?<number>[^.]+) in host

You could go even further and define a calculated field for name - then there's little need to repeat this in every query.

View solution in original post

SplunkTrust
SplunkTrust

This should do:

| stats count | eval host = "location-group-function-number.domain.com" | rex field=host "^(?<location>[^-]+)-(?<group>[^-]+)-(?<function>[^-]+)-(?<number>[^.]+)" | eval name = location."-".number

Once happy you can move the rex to a field extraction by going to Settings -> Fields -> Field Extractions -> New and entering this (note the "in host"!):

^(?<location>[^-]+)-(?<group>[^-]+)-(?<function>[^-]+)-(?<number>[^.]+) in host

You could go even further and define a calculated field for name - then there's little need to repeat this in every query.

View solution in original post