I have index=syslog where the hostname comes as fqdn and Ip address
i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all after . should be removed and save it in a new field host.
example : hostname column has hostname which looks like abcd-efg-hij-k23-b1.xyz.gmail
Now after using rex/sed i want in the host field abcd-efg-hij-k23-b1 everything after . should be removed.
note: i also have ip address which has . in it so while applying rex the ip addresses should not be considered.
It should only affect/take into consideration the alphanumeric field.
Hi @surekhasplunk,
let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?
If at searchtime, try this regex
| rex field=host "^(?<host>[^\.]+)"
if you want to replace the hostname using SEDCMD, you could try:
SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/
Ciao.
Giuseppe
Hi @sumandevops,
You can use rex command;
| rex field=host "(?<host_no>\d+)"
Hi @surekhasplunk,
let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?
If at searchtime, try this regex
| rex field=host "^(?<host>[^\.]+)"
if you want to replace the hostname using SEDCMD, you could try:
SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/
Ciao.
Giuseppe
How to get first part before .
example: host filed is looks like
abdc.4567
I want only 4567
Hi @surekhasplunk,
good for you!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉