Splunk Search
Highlighted

Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

Engager

I am trying to identify the unique number of hosts reporting from a source. When the source is indexed, the host field sometimes is FQDN and sometimes is IP address. They are not duplicate entries, just different data/logs.

I have two separate searches, one that ignores the IP address hosts and delivers unique hosts as FQDN:

source="logsource"
| search host!="10.xxx"
| dedup host
| stats count by host

And one that uses the rex (I'm new to using this) option to pull the FQDN elsewhere in the log:

source="logsource"
| search host="10.xxx"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| dedup newhostfield
| stats count by newhostfield, host

I want to combine the two lists in a search and dedup to give me a unique list of hosts from this log source.

Anyone able to point me in the right direction?
Thanks

0 Karma
Highlighted

Re: Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

SplunkTrust
SplunkTrust

Give this a try

source="logsource"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| eval newhostfield=if(match(host,"^10\..+"),newhostfield,host)
| stats dc(newhostfield) as count by newhostfield, host
0 Karma