Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex to modify hostname field and where . is there remove it

surekhasplunk
Communicator
‎03-09-2021 05:18 AM

I have index=syslog where the hostname comes as fqdn and Ip address

i want rex to modify only hostname field only where fqdn is coming and modify then to get only first part of the hostname all after . should be removed and save it in a new field host. 

example : hostname column has hostname which looks like abcd-efg-hij-k23-b1.xyz.gmail

Now after using rex/sed i want in the host field abcd-efg-hij-k23-b1 everything after . should be removed. 

note: i also have ip address which has . in it so while applying rex the ip addresses should not be considered.

It should only affect/take into consideration the alphanumeric field. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 05:27 AM

Hi @surekhasplunk,

let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?

If at searchtime, try this regex

| rex field=host "^(?<host>[^\.]+)"

if you want to replace the hostname using SEDCMD, you could try:

SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎04-15-2021 08:21 AM

Hi @sumandevops,

You can use rex command;

| rex field=host "(?<host_no>\d+)"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 05:27 AM

Hi @surekhasplunk,

let me understand: do you want a regex to extract the hostname before dot at search time or do you want to set the hostname at indextime?

If at searchtime, try this regex

| rex field=host "^(?<host>[^\.]+)"

if you want to replace the hostname using SEDCMD, you could try:

SEDCMD-host = y/[^\.]\.\w+\.\w+/[^\.]/

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sumandevops
Engager
‎04-15-2021 07:52 AM

How to get first part before . 

 

example: host filed is looks like 

abdc.4567

I want only 4567

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 06:21 AM

Hi @surekhasplunk,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...