Refine your search:

How can I rename the host names for my chart?

2

I have a chart that graphs by hostnames, but I don't want to see the fully qualified domain of each host. How could I rename the host values to be a subset of the name or a completely different name?

asked 21 Sep '10, 19:39

Simeon's gravatar image

Simeon ♦
4.1k91034
accept rate: 26%

3 Answers:
oldestnewestmost voted
1

The replace command allows you to rename values in the search results. For example, let us assume you have the following search which produces a chart of error counts by host:

index=webserver sourcetype=syslog ERRORS | timechart count by host

This chart produces the correct output, but you want to alter the host names. This is because they are a very long string and you do not need the fully qualified domain. For example:

host1 = machine1-webserverpool1.subdomain.domain.com host2 = machine2-webserverpool2.subdomain.domain.com

Let's assume I want to rename host1 and host2 to be m1pool1 and m2pool2. You can simply add the following replace command before the timechart:

replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host

You must make sure you specify the "in host" at the end, which tells Splunk to replace the values within the host field. The final search would be:

index=webserver sourcetype=syslog ERRORS | replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host | timechart count by host

Alternatively, you could use the rex command in combination with a regex to extract only the portion you want to see. Let's assume I want to completely remove the subdomain and only see the node name. The rex portion might look like:

rex field=host "(?<hostname>.*).subdomain"

The final search would be:

index=webserver sourcetype=syslog ERRORS |  rex field=host "(?<hostname>.*).subdomain" | timechart count by host

The output of this search would show counts for machine1-web-serverpool1 and machine2-web-serverpool2.

link

answered 21 Sep '10, 19:45

Simeon's gravatar image

Simeon ♦
4.1k91034
accept rate: 26%

edited 21 Sep '10, 19:51

1

You can use rex in order to strip the hostname out of the FQDN:

| rex field=hostname "((?<my_host>[^\.]+)\.)?(?<my_domain>(([^\.]+\.)+)?[^\.]+)" | timechart count by my_host
link

answered 21 Sep '10, 19:49

ftk's gravatar image

ftk ♦
6.8k1727
accept rate: 38%

0

You can use the eval command's replace function. 

<your search> | eval host=replace(host, "commonprefix.", "") | <your report split by host>

see my answer to a different question over here -- http://answers.splunk.com/questions/6424/replace-parts-of-a-string/6430#6430

link

answered 21 Sep '10, 19:46

sideview's gravatar image

sideview ♦
25.5k3543
accept rate: 46%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×395
×227
×136
×22

Asked: 21 Sep '10, 19:39

Seen: 1,848 times

Last updated: 21 Sep '10, 19:51

Related questions

Replace/rename a host name with another host name

Splunk and Drilling down into Charts

replace one backslash by double backslash

Change host name at search time

Can I use n field values as field names for summary indexing?

How can i use the output of a search to calculate the time in another search?

Where can I find information on how to track my indexing volume over time?

Can splunk search use rex to pick through 6 lines to get (beginning to end) ERROR condition (I included the lines).

How can I easily filter or limit my search down to a specific group of hosts?

Copyright © 2005-2012 Splunk Inc. All rights reserved.