Hi,
i want to search for hosts which always have 3 letters at the begin of the dns name.
search:
index="myindex" host="(letter)(letter)(letter)server*"
Result should be:
xxxserver01
aaaserver01
bbbserver01
cccserver01
....
Thanks!
Christoph
You could use regex:
index="myindex" | regex host="^[a-zA-Z]{3}server"
Depending upon what's in "myindex" this is a pretty expensive search, if you can narrow down the results processed by "| regex ..." in any way you should.
You could use regex:
index="myindex" | regex host="^[a-zA-Z]{3}server"
Depending upon what's in "myindex" this is a pretty expensive search, if you can narrow down the results processed by "| regex ..." in any way you should.
The regex
command expects full regular expression representation of the values of the field, so you would want to add a .+
at the end after server
to incorporate those numbers at the end of host names.
I ran a test search on 6.5.5 without doing the full field match and it worked, and I don't see that requirement in the search manual:
Am I missing something?
Actually I take that back. I can swear it didn't work for me in some version. May be my memory needs updates.
index="myindex" host="server"|where match(source, "^[a-zA-Z]{3}server.*")
Hi,
thank you thats the perfect solution for me =).
| where match(source, "^[a-zA-Z]{3}server.*")
Result:
The result must contain 3 letters before "server".
xxxserveryyy
Thanks
Christoph