Extract domain from FQDN in Windows Event log

bkcarter · ‎10-25-2012

I need to create a transform stanza that will seperate some events depending on which domain they originate from.

The are in Windows Forwarded Event logs.
I have the props.conf and transform.conf all complete except for the regex.

The line I need to extract from is:

ComputerName=machine.domain.local

"domain.local" is what I need to check against. It may be "domain.local" in one event, but "newdomain.com" in another event. My transforms need to put these different events into different indexes.

I am having a difficult time understanding how to apply the REGEX expression.

If I use the web base field extraction in Splunk, it gives me the following expression:

(?i).*?\.(?P<FIELDNAME>\w+\.\w+)

I am not sure how I translate this into the transform.conf stanza.

Any help would be greatly appreciated!

Rob · ‎10-26-2012

bkcarter, you might want to test this in your Splunk search using the rex command like so:

|rex field=_raw ".*ComputerName=machine\.(?<myFieldName>\w+\.\w+)"

If you are not sure what the ComputerName or machine name is going to be then try:

|rex field=_raw ".*=\w+\.(?<myFieldName>\w+\.\w+)"

The trouble with not being as specific here is that this regex will match anything that has a word with three periods after an equal sign (e.g. =my.random.string). If you can be more specific about either the ComputerName or the machine part of the regex, then you will want to do so.

In the transforms stanza you would simply put:

REGEX = .*=machine\.(?<myFieldName>\w+\.\w+)

You could also copy and paste most of the line from the interactive field extractor that you have above as the regex is pretty similar:

REGEX = .*?\.(?P<FIELDNAME>\w+\.\w+)

Hope that helps, and please don't forget to vote!

Extract domain from FQDN in Windows Event log

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!