Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reverse-order a DNS at search time

ahamilton
New Member
‎02-13-2014 09:21 AM

Hi all,

In certain search, Splunk returns DNS hostnames, for example:
a.monetate.net.akadns.net
evsecure-ocsp.verisign.com

To facilitate sorting, I'd like to have the names displayed in reverse order across the dots, e.g.:
net.akadns.net.monetate.a
com.verisign.evsecure-ocsp

I've found some examples that suggest how to change word order but Splunk rejects it during search:

sourcetype=dns | rex field=domain mode=sed "s/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//"

Yields: Error in 'rex' command: Failed to initialize sed. Invalid option string: (.)(.*\n)/&\2\1/;//D;s/.//

Ideas?

folkstalk [dot] com/2011/12/methods-to-reverse-string-using-unix.html
programmingforums [dot] org/post188712.html

Tags (2)
0 Karma
Reply

yplambert
New Member
‎03-06-2014 11:01 AM

I've not written it yet, but my plan to handle this is to write a dynamic lookup that does the equivalent of this (in perl):

$sortable_name=$hostname;
$sortable_name=~s{(\d+)}{sprintf "%09d", $1}g;
$sortable_name=join('.', reverse(split(/\./, $sortable_name)));
return $sortable_name;

So given a field with the hostname, it'd return a new field with a "sortable name." You could sort on that field, and then remove it from the results.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...