Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting data from host field into a new field

amontero86
New Member
‎01-16-2015 09:37 AM

I am trying to extract data from the host field as the name of the host gives information about the location and where in that location something exists.

Example: host="BUSINESS_PRODUCTION_NYC_ST06"

In the example above I want to Pull out NYC and put it into a City field. Which I have tried doing that using the following

| rex field=host "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

however when I run that search I do not see the new City field. However if try that using a different field it seems to work.

| eval host2="BUSINESS_PRODUCTION_NYC_ST02" | rex field=host2 "BUSINESS_PRODUCTION_(?<City>\w+)_ST\d{2}"

Am I missing something or is this a bug? ( I am using 6.2.0)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎01-16-2015 10:20 AM

Hi,

I have tried the field extraction from host in 6.2. Here is the sample of mine,

Host: ip-192-168-169-32
Extracted value: 169
Rex: ip-.*-.*-(?<newfield>.*)-.*

Search : index=_internal | head 10 | stats count by host | rex field=host "ip-.*-.*-(?.*)-.*" | table host, newfield

Guess this will help you,

|stats count | eval host="BUSINESS_PRODUCTION_NYC_ST06" | rex field=host "BUSINESS_PRODUCTION_(?<City>.*)_.*" | table host, City
V
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:24 AM

Thanks looking at your example I realized that I was using underscores instead of dashes. Its always the simple answers smh. Thanks for your time.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:25 AM

Enjoy. Cheerrss!

V
0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:16 AM

Hi, Try this, |stats count | eval
host2="BUSINESS_PRODUCTION_NYC_ST02" |
rex field=host2
"BUSINESS_PRODUCTION_(?.)_ST"
| table host2,City

Cheerrss!

I am not sure why I can't see this response on this page. The query I posted that operates on host2 works without any problems. However when I apply the query to the host field it does not work.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎01-16-2015 10:22 AM

I have deleted and re posted the answer.

V
0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-16-2015 10:00 AM

Was the difference in the above to extraction expressions "\w" vs "\w+" intended? I have seen similar questions and note that it should work the same on indexed fields as well as extracted or _raw data.

0 Karma
Reply
Solved! Jump to solution

amontero86
New Member
‎01-16-2015 10:02 AM

Nope that is what happens when you type rather than copy sorry.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...