Splunk Search

Field Extraction of a hostname

daniel333
Builder

Should be easy enough, but not working for me. I am trying to pull a hostname of a log. I am terrible at regex and trying to get better.
^ = starts with
.* = any number of characters
_ = space?

transforms.conf

DEST_KEY = MetaData:Host
REGEX = ^(.*)_
FORMAT = host::$1

Here is format of the log:

localhost nmap 25 tcp allowed smtp

For some reason it's not extracting this hostname.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Answered below, but from one RegEx certifiable person to another: I found this to be a great learning tool. 🙂

0 Karma

Richfez
SplunkTrust
SplunkTrust

Oh, I like that, I'll add it to the arsenal of regex101.com...

0 Karma

Richfez
SplunkTrust
SplunkTrust

If it's always the first space-delimited item in the log, then try...

REGEX=^[^\s]*

(the rest is the same). That's from the start of the string ^ search characters that aren't [^...] a space \s, and grab zero or more of those *

s2_splunk
Splunk Employee
Splunk Employee

I think you are missing a capturing group in there: REGEX=^([^\s]*) should do it.

Richfez
SplunkTrust
SplunkTrust

Oh, good catch, thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...