Solved: How do I edit my regex to capture the shortname fr...

renems · ‎11-19-2015

I'm trying to create a new field based on the host field. The new field (hostname) should only contain the shortname. The host field is currently a mix of fqdn and shortnames:

server1.linux.splunk.co.uk
server2.linux.splunk.co.uk
server3
server4.linux.splunk.co.uk

So far, this comes close to what I'm trying to achieve:

| rex field=host "(?P<hostname>[^ ]+?)\."

Works great for all entries that actually do have a dot (.) in the text (number1, 2, 4). The ones without a dot (.) return blank. How do I also include the ones that don't need modification at all? (number 3)

Any help greatly appreciated!

ltrand · ‎11-19-2015

It's too greedy to put against just a block of text, but as long as the field is sanitary, this should work:

(?P<hostname>[^.]+)

View solution in original post

ltrand · ‎11-19-2015

It's too greedy to put against just a block of text, but as long as the field is sanitary, this should work:

(?P<hostname>[^.]+)

renems · ‎11-19-2015

It does! Kudo's for you, my friend!

How do I edit my regex to capture the shortname from a mix of FQDN and shortname host field entries?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!