Here are my _internal Phonehome logs for UF client connections:
xxx.xxx.128.89 - - [21/Oct/2013:09:49:47.820 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.128.89_8089_xxx.xxx.128.89_iuppiter.sub.com_ea HTTP/1.0" 200 1226 - - - 45ms
xxx.xxx.254.211 - - [21/Oct/2013:09:49:47.470 -0500] "POST /services/broker/phonehome/connection_128.157.254.211_8089_sub-ia-dump1.sub.domain.com_sub-ia-dump01.sub.domain.com_ia HTTP/1.0" 200 1300 - - - 42ms
xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.451 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 278 - - - 41ms
xxx.xxx.15.201 - - [21/Oct/2013:09:49:47.440 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.15.201_8089_agdl.sub.domain.com_blade014_ea HTTP/1.0" 200 1303 - - - 44ms
xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.384 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 2277 - - - 43ms
xxx.xxx.94.221 - - [21/Oct/2013:09:49:47.189 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.221_8089_sub-it-bak01a.sub.domain.com_sub-it-bak01a.sub.domain.com_ia HTTP/1.0" 200 278 - - - 41ms
xxx.xxx.138.96 - - [21/Oct/2013:09:49:47.161 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.138.96_8089_sub-ia-snlmdc02.sub.domain.com_sub-ia-snlmdc02.ndc.domain.com_ia HTTP/1.0" 200 1302 - - - 42ms
xxx.xxx.226.17 - - [21/Oct/2013:09:49:47.158 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.226.17_8089_xxx.xxx.226.17_skynet.sub.domain.com_ea HTTP/1.0" 200 1314 - - - 43ms
xxx.xxx.10.12 - - [21/Oct/2013:09:49:47.015 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 278 - - - 101ms
xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.920 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 102ms
xxx.xxx.10.12 - - [21/Oct/2013:09:49:46.826 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 1075 - - - 101ms
xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.735 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 101ms
xxx.xxx.94.117 - - [21/Oct/2013:09:49:46.489 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.117_8089_sub-ia-fs01b.sub.domain.com_sub-IA-FS01B_ia HTTP/1.0" 200 1281 - - - 42ms
I want to extract the client host name.
I could use this [ (?i).+phonehome.+_8089_(?P<FIELDNAME>.+?)_
] but in some cases this produces an IP (see first event in logs above)
I don't know who to get the host name when it is preceded by the client IP first.
Can you help?
An excerpt of the relevant part of some of your events, edited for redability.
_8089_sub-ia-dump1.sub.domain.com _sub-ia-dump01.sub.domain.com _ia
_8089_sub-ia-fs01b.sub.domain.com _sub-IA-FS01B _ia
_8089_subb-dacs2.dacs.subb.sub.domain.com _subb-dacs2 _w-ra
_8089_xxx.xxx.226.17 _skynet.sub.domain.com _ea
_8089_sub-ia-snlmdc02.sub.domain.com _sub-ia-snlmdc02.ndc.domain.com _ia
_8089_sub-ia-render02.sub.domain.com _sub-IA-RENDER02 _ia
_8089_xxx.xxx.128.89 _iuppiter.sub.com _ea
It seems that underscore separates the values you're after within the string. (I take it you want the second column above, right?) Then the following regex should work for you;
index=_internal phonehome | rex "_8089_[^_]+_(?<myfield>[^_]+)_" | ...
UPDATE:
I believe this should work, i.e. if the first part is an IP address, it will skip over to the next part.
index=_internal phonehome | rex "_8089_(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_)?(?<myfield>[^_]+)_" | ...
Hope this helps,
K
see update above
you want the first 'column' but only if it's a FQDN, otherwise take 'column' 2, so to speak?
Thanks Kristian this helps.
Like I said above I was hoping to get the FQDN.
Thanks for the help.
I got good results with this regex string
(?i).+phonehome.+8089_(.+_)?(?P<fieldname>.+?)_
A helpful site for testing regex strings is RegexPlanet.