Hello all,
I'm brand new to Splunk, so please have patience with me.
I want to convert our hostnames to a net mask.
Our servers and workstations must be in a specific format eg. AB000SV00100 (SV = Server) or AB200WS90032 (WS = Workstation). The FQDN looks like eg. servername.domain.corp.company.com, but can come in other flavours like servername.companyname.com or just the servername.
To be able to find servers or workstations that do not comply with this format, I want to convert it to a mask so it will look like this:
AB120SV90039.mydomain.corp.company.com --> 110001100000.11111111.1111.1111111.111 (Letters = 1 and Numbers = 0) or
AB220WS00002.company.com --> 110001100000.1111111.111 or
AB566LX23456 --> 110001100000 and so on.
When this is done I want to use clustering or ML to see what falls outside the normal. But I haven't figured out how to do that conversion. Can this be done in Splunk?
Best regards
Per Bejder
If you just quickly want to see which hosts comply with your format you could do something like this:
*
| dedup host
| rex field=host "^(?P<correct>[A-Za-z]{2}[0-9]{3}[A-Za-z]{2}[0-9]{5}.+)"
| eval incorrect=if(isnull(correct),host,"")
| table correct incorrect
Its quick and dirty, and it avoids the masking technique, but it may give you what you need.
| makeresults
| eval host1="AB120SV90039.mydomain.corp.company.com"
| eval host2="AB220WS00002.company.com"
`comment("first technique")
| rex field=host1 mode=sed "s/([0-9])/0/g"
| rex field=host1 mode=sed "s/([A-Za-z])/1/g"
| rex field=host2 mode=sed "s/([0-9])/0/g"
| rex field=host2 mode=sed "s/([A-Za-z])/1/g"
`comment("second technique")
| foreach host*
[ eval <<MATCHSTR>> = replace("<<VALUE>>", "[A-Za-z]", 1)]
| foreach host*
[ eval <<MATCHSTR>> = replace("<<VALUE>>", "[0-9]", 0)]
Hi
Thanks - I will try to test that.
/Per
What is the end goal of this netmask exercise? There must be another way to get there without netmask.