Solved: Re: Is it possible to remove/replace a portion of ...

capilarity · ‎03-24-2015

we have logs that include a host-name which is always appended by the FQDN. The FQDN is always the same and is not needed for a high level dashboard.

This makes the field too long for a cell in a table on a dashboard and messes up the formatting of the table and therefore the page.
I've amended the indexing so all new data includes an additional field of just host-name

Is it possible (at search time) to remove this for data already indexed?

"hostname.domainname.com" to become "hostname"

Thanks

capilarity · ‎03-24-2015

answered my own question

what a dufus.

field extraction to create new field

been a long morning...

View solution in original post

vganjare · ‎03-24-2015

Hi,

You can try editing the field by using eval command. Following is an example:

| eval hostname=replace(hostname,"hostname.domainname.com","hostname")

Thanks!!

capilarity · ‎03-24-2015

Thanks for the comment, but the "hostname" portion of the FQDN is the variable.

Can use regex to extract the host but can you use regex to write the new string?

hostname="replace(hostname,"REGEXvalue.domainname.com,"REGEXvalue)

the example in the docs uses a static value as an output

... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

capilarity · ‎03-24-2015

answered my own question

what a dufus.

field extraction to create new field

been a long morning...

Is it possible to remove/replace a portion of the data at search-time for better formatting and presentation?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?