Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to Find All Names that Match a Name in a Field

atebysandwich
Path Finder
‎10-12-2023 08:28 AM

I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below:

DNSIdentified_Host
host1.domain.comhost1.domain.com
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com
host2.domain.comhost2.domain.com
host2-admin.comhost2.domain.com
host2-mgt.admin.comhost2.domain.com
host3.domain.comhost3.domain.com
host3-admin.comhost3.domain.com

 

From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-14-2023 01:37 AM

I get a rough idea about what the OP wants:

  1. The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and
  2. All upper level domains in DNS and those in Identified_Host are identical.

If this is correct, here is a literal interpretation.

 

| foreach DNS Identified_Host
    [rex field=<<FIELD>> "(?<<<FIELD>>_low>[^\.]+).(?<<<FIELD>>_up>.+)"]
| where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up
| fields - *_low *_up

 

Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.

Using the data emulation @yeahnah gives, the result from this search is

DNSIdentified_Host
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com

Are these what you expect?

Reply

yeahnah
Motivator
‎10-12-2023 03:11 PM

Hi @atebysandwich 

I'm not 100% sure I understand what you are trying to do but does this run anywhere example help...

| makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain.com
host1-admin.domain.com,host1.domain.com
host1-mgt.domain.com,host1.domain.com
host2.domain.com,host2.domain.com
host2-admin.com,host2.domain.com
host2-mgt.admin.com,host2.domain.com
host3.domain.com,host3.domain.com
host3-admin.com,host3.domain.com"
| multikv forceheader=1
| table DNS Identified_Host
 ```^^^ dummy events ^^^```
| where DNS!=Identified_Host
| stats values(DNS) BY Identified_Host

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...