Splunk Search

How can I rename the host names for my chart?

Simeon
Splunk Employee
Splunk Employee

I have a chart that graphs by hostnames, but I don't want to see the fully qualified domain of each host. How could I rename the host values to be a subset of the name or a completely different name?

1 Solution

Simeon
Splunk Employee
Splunk Employee

The replace command allows you to rename values in the search results. For example, let us assume you have the following search which produces a chart of error counts by host:

index=webserver sourcetype=syslog ERRORS | timechart count by host

This chart produces the correct output, but you want to alter the host names. This is because they are a very long string and you do not need the fully qualified domain. For example:

host1 = machine1-webserverpool1.subdomain.domain.com host2 = machine2-webserverpool2.subdomain.domain.com

Let's assume I want to rename host1 and host2 to be m1pool1 and m2pool2. You can simply add the following replace command before the timechart:

replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host

You must make sure you specify the "in host" at the end, which tells Splunk to replace the values within the host field. The final search would be:

index=webserver sourcetype=syslog ERRORS | replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host | timechart count by host

Alternatively, you could use the rex command in combination with a regex to extract only the portion you want to see. Let's assume I want to completely remove the subdomain and only see the node name. The rex portion might look like:

rex field=host "(?<hostname>.*).subdomain" 

The final search would be:

index=webserver sourcetype=syslog ERRORS |  rex field=host "(?<hostname>.*).subdomain" | timechart count by host

The output of this search would show counts for machine1-web-serverpool1 and machine2-web-serverpool2.

View solution in original post

nataliat
Explorer

Hello, my question is related to this topic. So I prefer to use this post, rather than create a new question.

I also want to rename the fields to show different values. The above approaches work, but they replace the value for the target field in each event before counting if I am not wrong. Is there any way to replace the value of the field after counting? For example, if I have host= x (40 times), y (42 times) and I want to display instead xx and yy, it is neccesary to replace "x" 40 times with "xx" and "y" with "yy" 42 times before doing "count by host" to see those labels or there is any work around to replace them just once after "count by host" has taken place?

Thanks

0 Karma

ftk
Motivator

You can use rex in order to strip the hostname out of the FQDN:

| rex field=hostname "((?<my_host>[^\.]+)\.)?(?<my_domain>(([^\.]+\.)+)?[^\.]+)" | timechart count by my_host

sideview
SplunkTrust
SplunkTrust

You can use the eval command's replace function.

<your search> | eval host=replace(host, "commonprefix.", "") | <your report split by host>

see my answer to a different question over here -- http://answers.splunk.com/questions/6424/replace-parts-of-a-string/6430#6430

0 Karma

Simeon
Splunk Employee
Splunk Employee

The replace command allows you to rename values in the search results. For example, let us assume you have the following search which produces a chart of error counts by host:

index=webserver sourcetype=syslog ERRORS | timechart count by host

This chart produces the correct output, but you want to alter the host names. This is because they are a very long string and you do not need the fully qualified domain. For example:

host1 = machine1-webserverpool1.subdomain.domain.com host2 = machine2-webserverpool2.subdomain.domain.com

Let's assume I want to rename host1 and host2 to be m1pool1 and m2pool2. You can simply add the following replace command before the timechart:

replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host

You must make sure you specify the "in host" at the end, which tells Splunk to replace the values within the host field. The final search would be:

index=webserver sourcetype=syslog ERRORS | replace machine1-webserverpool1.subdomain.domain.com with m1pool1, machine2-webserverpool2.subdomain.domain.com with m2pool2 in host | timechart count by host

Alternatively, you could use the rex command in combination with a regex to extract only the portion you want to see. Let's assume I want to completely remove the subdomain and only see the node name. The rex portion might look like:

rex field=host "(?<hostname>.*).subdomain" 

The final search would be:

index=webserver sourcetype=syslog ERRORS |  rex field=host "(?<hostname>.*).subdomain" | timechart count by host

The output of this search would show counts for machine1-web-serverpool1 and machine2-web-serverpool2.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...