Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex to modify hostname field and where . is there remove it

surekhasplunk
Communicator
‎03-09-2021 05:18 AM

I have index=syslog where the hostname comes as fqdn and Ip address

i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all after . should be removed and save it in a new field host. 

example : hostname column has hostname which looks like abcd-efg-hij-k23-b1.xyz.gmail

Now after using rex/sed i want in the host field abcd-efg-hij-k23-b1 everything after . should be removed. 

note: i also have ip address which has . in it so while applying rex the ip addresses should not be considered.

It should only affect/take into consideration the alphanumeric field. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 05:27 AM

Hi @surekhasplunk,

let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?

If at searchtime, try this regex

| rex field=host "^(?<host>[^\.]+)"

if you want to replace the hostname using SEDCMD, you could try:

SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
Champion
a month ago

Hi @sumandevops,

You can use rex command;

| rex field=host "(?<host_no>\d+)"
If this reply helps you an upvote is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 05:27 AM

Hi @surekhasplunk,

let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?

If at searchtime, try this regex

| rex field=host "^(?<host>[^\.]+)"

if you want to replace the hostname using SEDCMD, you could try:

SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sumandevops
Engager
a month ago

How to get first part before . 

 

example: host filed is looks like 

abdc.4567

I want only 4567

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 06:21 AM

Hi @surekhasplunk,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!