Splunk Search

How to extract field value in one index for comparison with other index using join dynamically

umsundar2015
Path Finder

Hi ,

In index1 ,in have field called hostname with values,
sxer123
sdcfgg
SDFCXZ

I have a field called hostname in index2 with values like ,
172.34.23.33
sxer123.amazon.com
sdcfgg.bb.amazon.com

Now i need to join these 2 indexes with field hostname field.Here i dont want to miss any values.
Now how to segregate the ip address fully with sxer123 and sdcfgg in index2 for joining with index1 hostname values.
Can someone provide me the regex for this

Tags (1)
0 Karma
1 Solution

gokadroid
Motivator
Try this regex based on your comments 

(IP-)*(?<hostName>[^\.\s]+)

View solution in original post

0 Karma

gokadroid
Motivator
Try this regex based on your comments 

(IP-)*(?<hostName>[^\.\s]+)
0 Karma

umsundar2015
Path Finder

Thank u gokdroid

but it didnt fulfill my need ...

Please give me some other regex...

0 Karma

gokadroid
Motivator

which one did this below regex miss...I have updated the same in answer as well based on your comments.

(IP-)*(?<hostName>[^\.\s]+)
0 Karma

umsundar2015
Path Finder

Thanks gokdroid

Its working , but iam not getting the normal ip format .

for 172.26.80.26 ip , i am getting only 172 and not the full ip..

Can u suggest me a way for it for getting that too in same regex..

0 Karma

umsundar2015
Path Finder

ok i got it .. thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

I'm not sure to have understood you question: you need to extract the first part of hostname (sxer123 instead of sxer123.amazon.com) but what do you mean with "Segregate the IP Address"?
Every way, with the following regex, you extract the first part of hostname and take the full IP address

(?<hostname>(\d+.\d+.\d+.\d+)|(\w+)).*

172.34.23.33
sxer123
sdcfgg

You can see extraction here https://regex101.com/r/wSi50Q/1

Bye.
Giuseppe

0 Karma

umsundar2015
Path Finder

thanks for your reply Giuseppe,

sorry wrongly mentioned the word segregate.

now i have some more values too in same field like,

DC09-MWV-CA01- need fully
IP-172-29-196-97.DTCC.COM - i need 172-29-196-97 alone
D09-TLV-OAG01B.TEST.CLARIENT.LOCAL - i need D09-TLV-OAG01B alone
D09-ULV-BPMS02.UAT.CLARIENT.LOCAL - i need D09-ULV-BPMS02 alone

how to evaluate this in the same regex with the above suggested one .I am in need of only one regex for all these conditions from the above one.

I know it bit tricky , but the data is like that .sorry

0 Karma

gcusello
SplunkTrust
SplunkTrust

Using this regex you extract all that you want

(?<hostname>[^ .]+)((\s)|(\..*))\n

with the exception of IP- that you have to manage after:
inserting IP- as a prefix in the other hostname or removing it with eval command

yoursearch | rex "(?<hostname>[^ .]+)((\s)|(\..*))\n" | eval hostname=if(substr(hostname,1,3)="IP-",substr(hostname,4,11),hostname) | ...

see regex it in https://regex101.com/r/wSi50Q/2

Bye.
Giuseppe

0 Karma

umsundar2015
Path Finder

ok thank u Giuseppe,

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know if you need IP in the normal format, to do this you can use

| rex field=ppp mode=sed "s/-/./g"

Bye.
Giuseppe

0 Karma

umsundar2015
Path Finder

i got the values as desired ..
Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...