Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i search for a host wich must have 3 letters at the begin of the dns name ?

criedman
Explorer
‎11-27-2017 05:54 AM

Hi,

i want to search for hosts which always have 3 letters at the begin of the dns name.

search:

index="myindex" host="(letter)(letter)(letter)server*"

Result should be:

xxxserver01
aaaserver01
bbbserver01
cccserver01
....

Thanks!
Christoph

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-27-2017 07:15 AM

You could use regex:

index="myindex" | regex host="^[a-zA-Z]{3}server"

Depending upon what's in "myindex" this is a pretty expensive search, if you can narrow down the results processed by "| regex ..." in any way you should.

View solution in original post

Reply
Solved! Jump to solution
Solution

wenthold
Communicator
‎11-27-2017 07:15 AM

You could use regex:

index="myindex" | regex host="^[a-zA-Z]{3}server"

Depending upon what's in "myindex" this is a pretty expensive search, if you can narrow down the results processed by "| regex ..." in any way you should.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-27-2017 08:34 AM

The regex command expects full regular expression representation of the values of the field, so you would want to add a .+ at the end after server to incorporate those numbers at the end of host names.

0 Karma
Reply
Solved! Jump to solution

wenthold
Communicator
‎11-27-2017 08:52 AM

I ran a test search on 6.5.5 without doing the full field match and it worked, and I don't see that requirement in the search manual:

search reference - regex

Am I missing something?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-27-2017 08:59 AM

Actually I take that back. I can swear it didn't work for me in some version. May be my memory needs updates.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎11-27-2017 07:39 AM

index="myindex" host="server"|where match(source, "^[a-zA-Z]{3}server.*")

0 Karma
Reply
Solved! Jump to solution

criedman
Explorer
‎11-27-2017 11:46 PM

Hi,

thank you thats the perfect solution for me =).

| where match(source, "^[a-zA-Z]{3}server.*")

Result:
The result must contain 3 letters before "server".

xxxserveryyy

Thanks
Christoph

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...