Using inline REX to extract duplicate hosts, how d...

stacejr · ‎12-08-2016

I am trying to identify the unique number of hosts reporting from a source. When the source is indexed, the host field sometimes is FQDN and sometimes is IP address. They are not duplicate entries, just different data/logs.

I have two separate searches, one that ignores the IP address hosts and delivers unique hosts as FQDN:

source="logsource"
| search host!="10.xxx"
| dedup host
| stats count by host

And one that uses the rex (I'm new to using this) option to pull the FQDN elsewhere in the log:

source="logsource"
| search host="10.xxx"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| dedup newhostfield
| stats count by newhostfield, host

I want to combine the two lists in a search and dedup to give me a unique list of hosts from this log source.

Anyone able to point me in the right direction?
Thanks

somesoni2 · ‎12-08-2016

Give this a try

source="logsource"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| eval newhostfield=if(match(host,"^10\..+"),newhostfield,host)
| stats dc(newhostfield) as count by newhostfield, host

Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...