Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining 2 RE into single RE

muralisushma7
Explorer
‎02-08-2017 01:22 AM

Hi,

For every event in the SPLUNK, I have set the RE for host field. In general all the input to Splunk is of the form: rdnglagos010-1-1.Fa0-1.ncr.com, hence I set the RE as (?\w+-\d+-\d.+) while indexing the data. Now, apart from this, I also have input of the form: fusxpowtc1.eth-s4p1, hence I set the RE as (?\w+..+). When I combine them as (?\w+-\d+-\d.+)| (?\w+..+), I get the correct output for fuspowtc1.eth-s4p1 but for other one it displays as 1.ncr.com.

Can someone help me in writing a single RE such that host field should display correct output.

Let me know if you need any more information.

Regards,
Sushma.

Tags (2)
0 Karma
Reply

muralisushma7
Explorer
‎02-09-2017 11:36 PM

Hi somesoni2,

I am trying to extract these fields from raw data itself.

Regards,
Sushma.

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2017 07:37 AM

You would need to setup a boundary of some sort so that combined regex works. Can you post a sample event for each type of host format? Scrub any sensitive data before posting.

0 Karma
Reply

somesoni2
Revered Legend
‎02-09-2017 06:59 AM

You're trying to extract these fields from raw data or any other field? Can we have some sample entries? DIfferent regex is required for both the cases.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-08-2017 05:25 AM

This works for me in regex101.com

(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

muralisushma7
Explorer
‎02-09-2017 11:34 PM

Hi,

Ran the above search and fusxpowtc1.eth-s4p1 displayed under host field where as the fileds h1 and h2 are empty.

Regards,
Sushma.

0 Karma
Reply

DalJeanis
Legend
‎02-10-2017 10:23 AM

We really need a more complete example of the _raw to help you work this out.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-10-2017 07:37 AM

What version of Splunk are you using? Please copy-and-paste your search as code so we can see it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

muralisushma7
Explorer
‎02-08-2017 11:42 PM

Hi,

Still it is not working for me. I executed the RE that you gave.

It displays the output as rdnglagos010-1-1.Fa0-1.ncr.com in the host field which is correct but for the other one it displays the VM name in the host field rather than fusxpowtc1.eth-s4p1.

What can I do?

Regards,
Sushma.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2017 05:51 AM

Try this run-anywhere search. Field h2 should match the second host name. If it does not then there is something wrong in your search.

| makeresults 2 | eval host="fusxpowtc1.eth-s4p1" | rex field=host "(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)" | table host h1 h2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...