Hi,
For every event in the SPLUNK, I have set the RE for host field. In general all the input to Splunk is of the form: rdnglagos010-1-1.Fa0-1.ncr.com, hence I set the RE as (?\w+-\d+-\d.+) while indexing the data. Now, apart from this, I also have input of the form: fusxpowtc1.eth-s4p1, hence I set the RE as (?\w+..+). When I combine them as (?\w+-\d+-\d.+)| (?\w+..+), I get the correct output for fuspowtc1.eth-s4p1 but for other one it displays as 1.ncr.com.
Can someone help me in writing a single RE such that host field should display correct output.
Let me know if you need any more information.
Regards,
Sushma.
Hi somesoni2,
I am trying to extract these fields from raw data itself.
Regards,
Sushma.
You would need to setup a boundary of some sort so that combined regex works. Can you post a sample event for each type of host format? Scrub any sensitive data before posting.
You're trying to extract these fields from raw data or any other field? Can we have some sample entries? DIfferent regex is required for both the cases.
This works for me in regex101.com
(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)
Hi,
Ran the above search and fusxpowtc1.eth-s4p1 displayed under host field where as the fileds h1 and h2 are empty.
Regards,
Sushma.
We really need a more complete example of the _raw to help you work this out.
What version of Splunk are you using? Please copy-and-paste your search as code so we can see it.
Hi,
Still it is not working for me. I executed the RE that you gave.
It displays the output as rdnglagos010-1-1.Fa0-1.ncr.com in the host field which is correct but for the other one it displays the VM name in the host field rather than fusxpowtc1.eth-s4p1.
What can I do?
Regards,
Sushma.
Try this run-anywhere search. Field h2 should match the second host name. If it does not then there is something wrong in your search.
| makeresults 2 | eval host="fusxpowtc1.eth-s4p1" | rex field=host "(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)" | table host h1 h2