Splunk Search

How do you convert a hostname to "netmask"?

perbejder
Engager

Hello all,

I'm brand new to Splunk, so please have patience with me.

I want to convert our hostnames to a net mask.

Our servers and workstations must be in a specific format eg. AB000SV00100 (SV = Server) or AB200WS90032 (WS = Workstation). The FQDN looks like eg. servername.domain.corp.company.com, but can come in other flavours like servername.companyname.com or just the servername.

To be able to find servers or workstations that do not comply with this format, I want to convert it to a mask so it will look like this:

AB120SV90039.mydomain.corp.company.com --> 110001100000.11111111.1111.1111111.111 (Letters = 1 and Numbers = 0) or
AB220WS00002.company.com --> 110001100000.1111111.111 or 
AB566LX23456 --> 110001100000 and so on. 

When this is done I want to use clustering or ML to see what falls outside the normal. But I haven't figured out how to do that conversion. Can this be done in Splunk?

Best regards
Per Bejder

0 Karma

nickhills
Ultra Champion

If you just quickly want to see which hosts comply with your format you could do something like this:

*
| dedup host 
| rex field=host "^(?P<correct>[A-Za-z]{2}[0-9]{3}[A-Za-z]{2}[0-9]{5}.+)"
| eval incorrect=if(isnull(correct),host,"")
| table correct incorrect

Its quick and dirty, and it avoids the masking technique, but it may give you what you need.

If my comment helps, please give it a thumbs up!
0 Karma

valiquet
Contributor
| makeresults 
| eval host1="AB120SV90039.mydomain.corp.company.com" 
| eval host2="AB220WS00002.company.com" 
`comment("first technique")
| rex field=host1 mode=sed "s/([0-9])/0/g" 
| rex field=host1 mode=sed "s/([A-Za-z])/1/g" 
| rex field=host2 mode=sed "s/([0-9])/0/g" 
| rex field=host2 mode=sed "s/([A-Za-z])/1/g" 
`comment("second technique")
| foreach host* 
    [ eval <<MATCHSTR>> = replace("<<VALUE>>", "[A-Za-z]", 1)] 
| foreach host* 
    [ eval <<MATCHSTR>> = replace("<<VALUE>>", "[0-9]", 0)]
0 Karma

perbejder
Engager

Hi

Thanks - I will try to test that.

/Per

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is the end goal of this netmask exercise? There must be another way to get there without netmask.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...