How to limit the host name coming in the output as...

ethanthomas · ‎04-15-2022

My sample events are like this

event 1

My name is Ethan [host="asw.pbrfinance.sdo.dgr.com"]

My address is 46e 91 st [host="asw.pbrfinance.sdo.dgr.com"]

my city is Atlanta [host="asw.pbrfinance.sdo.dgr.com"]

event 2

My name is Thomas [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]

My address is 996e 97 st [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]

my city is Atlanta [host="asw..sdo.dgr.cowq234wdwaf.mhh.com"]

I want to limit the host name coming in the output as only one entry and not multiple times . Is there anyway to do this in props .conf ? Please help me with a proper regex for this .

Expected output

event 1

My name is Ethan [host="asw.pbrfinance.sdo.dgr.com"]

My address is 46e 91 st

my city is Atlanta

richgalloway · ‎04-16-2022

The props.conf file is for inputs, not outputs. Splunk has no way of knowing at input-time if any particular value is a duplicate or not.

It's not clear how the one output event is derived from the two input events.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.

How to limit the host name coming in the output as only one entry and not multiple times in props.conf?

field extraction

regex

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability