Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining 2 RE into single RE

muralisushma7
Explorer
‎02-08-2017 01:22 AM

Hi,

For every event in the SPLUNK, I have set the RE for host field. In general all the input to Splunk is of the form: rdnglagos010-1-1.Fa0-1.ncr.com, hence I set the RE as (?\w+-\d+-\d.+) while indexing the data. Now, apart from this, I also have input of the form: fusxpowtc1.eth-s4p1, hence I set the RE as (?\w+..+). When I combine them as (?\w+-\d+-\d.+)| (?\w+..+), I get the correct output for fuspowtc1.eth-s4p1 but for other one it displays as 1.ncr.com.

Can someone help me in writing a single RE such that host field should display correct output.

Let me know if you need any more information.

Regards,
Sushma.

Tags (2)
0 Karma
Reply

muralisushma7
Explorer
‎02-09-2017 11:36 PM

Hi somesoni2,

I am trying to extract these fields from raw data itself.

Regards,
Sushma.

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2017 07:37 AM

You would need to setup a boundary of some sort so that combined regex works. Can you post a sample event for each type of host format? Scrub any sensitive data before posting.

0 Karma
Reply

somesoni2
Revered Legend
‎02-09-2017 06:59 AM

You're trying to extract these fields from raw data or any other field? Can we have some sample entries? DIfferent regex is required for both the cases.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-08-2017 05:25 AM

This works for me in regex101.com

(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

muralisushma7
Explorer
‎02-09-2017 11:34 PM

Hi,

Ran the above search and fusxpowtc1.eth-s4p1 displayed under host field where as the fileds h1 and h2 are empty.

Regards,
Sushma.

0 Karma
Reply

DalJeanis
Legend
‎02-10-2017 10:23 AM

We really need a more complete example of the _raw to help you work this out.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-10-2017 07:37 AM

What version of Splunk are you using? Please copy-and-paste your search as code so we can see it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

muralisushma7
Explorer
‎02-08-2017 11:42 PM

Hi,

Still it is not working for me. I executed the RE that you gave.

It displays the output as rdnglagos010-1-1.Fa0-1.ncr.com in the host field which is correct but for the other one it displays the VM name in the host field rather than fusxpowtc1.eth-s4p1.

What can I do?

Regards,
Sushma.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2017 05:51 AM

Try this run-anywhere search. Field h2 should match the second host name. If it does not then there is something wrong in your search.

| makeresults 2 | eval host="fusxpowtc1.eth-s4p1" | rex field=host "(?<h1>\w+-\d+-\d.+)|(?<h2>\w+\..+)" | table host h1 h2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...