Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to Find All Names that Match a Name in a Field

atebysandwich
Path Finder
‎10-12-2023 08:28 AM

I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below:

DNSIdentified_Host
host1.domain.comhost1.domain.com
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com
host2.domain.comhost2.domain.com
host2-admin.comhost2.domain.com
host2-mgt.admin.comhost2.domain.com
host3.domain.comhost3.domain.com
host3-admin.comhost3.domain.com

 

From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-14-2023 01:37 AM

I get a rough idea about what the OP wants:

  1. The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and
  2. All upper level domains in DNS and those in Identified_Host are identical.

If this is correct, here is a literal interpretation.

 

| foreach DNS Identified_Host
    [rex field=<<FIELD>> "(?<<<FIELD>>_low>[^\.]+).(?<<<FIELD>>_up>.+)"]
| where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up
| fields - *_low *_up

 

Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.

Using the data emulation @yeahnah gives, the result from this search is

DNSIdentified_Host
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com

Are these what you expect?

Reply

yeahnah
Motivator
‎10-12-2023 03:11 PM

Hi @atebysandwich 

I'm not 100% sure I understand what you are trying to do but does this run anywhere example help...

| makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain.com
host1-admin.domain.com,host1.domain.com
host1-mgt.domain.com,host1.domain.com
host2.domain.com,host2.domain.com
host2-admin.com,host2.domain.com
host2-mgt.admin.com,host2.domain.com
host3.domain.com,host3.domain.com
host3-admin.com,host3.domain.com"
| multikv forceheader=1
| table DNS Identified_Host
 ```^^^ dummy events ^^^```
| where DNS!=Identified_Host
| stats values(DNS) BY Identified_Host

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...