Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to Find All Names that Match a Name in a Field

atebysandwich
Path Finder
‎10-12-2023 08:28 AM

I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below:

DNSIdentified_Host
host1.domain.comhost1.domain.com
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com
host2.domain.comhost2.domain.com
host2-admin.comhost2.domain.com
host2-mgt.admin.comhost2.domain.com
host3.domain.comhost3.domain.com
host3-admin.comhost3.domain.com

 

From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-14-2023 01:37 AM

I get a rough idea about what the OP wants:

  1. The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and
  2. All upper level domains in DNS and those in Identified_Host are identical.

If this is correct, here is a literal interpretation.

 

| foreach DNS Identified_Host
    [rex field=<<FIELD>> "(?<<<FIELD>>_low>[^\.]+).(?<<<FIELD>>_up>.+)"]
| where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up
| fields - *_low *_up

 

Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.

Using the data emulation @yeahnah gives, the result from this search is

DNSIdentified_Host
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com

Are these what you expect?

Reply

yeahnah
Motivator
‎10-12-2023 03:11 PM

Hi @atebysandwich 

I'm not 100% sure I understand what you are trying to do but does this run anywhere example help...

| makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain.com
host1-admin.domain.com,host1.domain.com
host1-mgt.domain.com,host1.domain.com
host2.domain.com,host2.domain.com
host2-admin.com,host2.domain.com
host2-mgt.admin.com,host2.domain.com
host3.domain.com,host3.domain.com
host3-admin.com,host3.domain.com"
| multikv forceheader=1
| table DNS Identified_Host
 ```^^^ dummy events ^^^```
| where DNS!=Identified_Host
| stats values(DNS) BY Identified_Host

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...