Using inline REX to extract duplicate hosts, how d...

stacejr · ‎12-08-2016

I am trying to identify the unique number of hosts reporting from a source. When the source is indexed, the host field sometimes is FQDN and sometimes is IP address. They are not duplicate entries, just different data/logs.

I have two separate searches, one that ignores the IP address hosts and delivers unique hosts as FQDN:

source="logsource"
| search host!="10.xxx"
| dedup host
| stats count by host

And one that uses the rex (I'm new to using this) option to pull the FQDN elsewhere in the log:

source="logsource"
| search host="10.xxx"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| dedup newhostfield
| stats count by newhostfield, host

I want to combine the two lists in a search and dedup to give me a unique list of hosts from this log source.

Anyone able to point me in the right direction?
Thanks

somesoni2 · ‎12-08-2016

Give this a try

source="logsource"
| rex field=_raw "leadingText,  (newhostfield.) trailingText"
| eval newhostfield=if(match(host,"^10\..+"),newhostfield,host)
| stats dc(newhostfield) as count by newhostfield, host

Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Using inline REX to extract duplicate hosts, how do I identify the unique number of hosts reporting from a source?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2