Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex Extracting Phonehome client name

hartfoml
Motivator
‎10-21-2013 08:36 AM

Here are my _internal Phonehome logs for UF client connections:

xxx.xxx.128.89 - - [21/Oct/2013:09:49:47.820 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.128.89_8089_xxx.xxx.128.89_iuppiter.sub.com_ea HTTP/1.0" 200 1226 - - - 45ms
xxx.xxx.254.211 - - [21/Oct/2013:09:49:47.470 -0500] "POST /services/broker/phonehome/connection_128.157.254.211_8089_sub-ia-dump1.sub.domain.com_sub-ia-dump01.sub.domain.com_ia HTTP/1.0" 200 1300 - - - 42ms
xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.451 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 278 - - - 41ms
xxx.xxx.15.201 - - [21/Oct/2013:09:49:47.440 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.15.201_8089_agdl.sub.domain.com_blade014_ea HTTP/1.0" 200 1303 - - - 44ms
xxx.xxx.182.29 - - [21/Oct/2013:09:49:47.384 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.182.29_8089_sub-ia-render02.sub.domain.com_sub-IA-RENDER02_ia HTTP/1.0" 200 2277 - - - 43ms
xxx.xxx.94.221 - - [21/Oct/2013:09:49:47.189 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.221_8089_sub-it-bak01a.sub.domain.com_sub-it-bak01a.sub.domain.com_ia HTTP/1.0" 200 278 - - - 41ms
xxx.xxx.138.96 - - [21/Oct/2013:09:49:47.161 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.138.96_8089_sub-ia-snlmdc02.sub.domain.com_sub-ia-snlmdc02.ndc.domain.com_ia HTTP/1.0" 200 1302 - - - 42ms
xxx.xxx.226.17 - - [21/Oct/2013:09:49:47.158 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.226.17_8089_xxx.xxx.226.17_skynet.sub.domain.com_ea HTTP/1.0" 200 1314 - - - 43ms
xxx.xxx.10.12 - - [21/Oct/2013:09:49:47.015 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 278 - - - 101ms
xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.920 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 102ms
xxx.xxx.10.12 - - [21/Oct/2013:09:49:46.826 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.12_8089_subb-dacs2.dacs.subb.sub.domain.com_subb-dacs2_w-ra HTTP/1.0" 200 1075 - - - 101ms
xxx.xxx.10.4 - - [21/Oct/2013:09:49:46.735 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.10.4_8089_subb-pta.dacs.subb.sub.domain.com_subb-PTA_w-ra HTTP/1.0" 200 1073 - - - 101ms
xxx.xxx.94.117 - - [21/Oct/2013:09:49:46.489 -0500] "POST /services/broker/phonehome/connection_xxx.xxx.94.117_8089_sub-ia-fs01b.sub.domain.com_sub-IA-FS01B_ia HTTP/1.0" 200 1281 - - - 42ms

I want to extract the client host name.
I could use this [ (?i).+phonehome.+_8089_(?P<FIELDNAME>.+?)_ ] but in some cases this produces an IP (see first event in logs above)

I don't know who to get the host name when it is preceded by the client IP first.
Can you help?

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-21-2013 10:09 AM

An excerpt of the relevant part of some of your events, edited for redability.

_8089_sub-ia-dump1.sub.domain.com          _sub-ia-dump01.sub.domain.com     _ia
_8089_sub-ia-fs01b.sub.domain.com          _sub-IA-FS01B                     _ia
_8089_subb-dacs2.dacs.subb.sub.domain.com  _subb-dacs2                       _w-ra
_8089_xxx.xxx.226.17                       _skynet.sub.domain.com            _ea
_8089_sub-ia-snlmdc02.sub.domain.com       _sub-ia-snlmdc02.ndc.domain.com   _ia
_8089_sub-ia-render02.sub.domain.com       _sub-IA-RENDER02                  _ia
_8089_xxx.xxx.128.89                       _iuppiter.sub.com                 _ea

It seems that underscore separates the values you're after within the string. (I take it you want the second column above, right?) Then the following regex should work for you;

index=_internal phonehome | rex "_8089_[^_]+_(?<myfield>[^_]+)_" | ...

UPDATE:

I believe this should work, i.e. if the first part is an IP address, it will skip over to the next part.

index=_internal phonehome | rex "_8089_(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_)?(?<myfield>[^_]+)_" | ...

Hope this helps,

K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-21-2013 10:55 AM

see update above

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-21-2013 10:33 AM

you want the first 'column' but only if it's a FQDN, otherwise take 'column' 2, so to speak?

0 Karma
Reply

hartfoml
Motivator
‎10-21-2013 10:27 AM

Thanks Kristian this helps.

Like I said above I was hoping to get the FQDN.

Thanks for the help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2013 09:57 AM

I got good results with this regex string

(?i).+phonehome.+8089_(.+_)?(?P<fieldname>.+?)_

A helpful site for testing regex strings is RegexPlanet.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...