Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a Hostname from log where brakes are issue(?)

northwarks
Engager
‎03-04-2018 07:53 AM

Hi all -

I'm struggling to extract the hostname from a Dhcp request from my logs:

Mar 4 15:30:40 192.168.1.1 Mar 4 15:30:40 SecurityGateway dhcpd: execute_statement argv[2] = Nest-C256.Ourhouse

What I'm after is a count of the different hosts, I think its fair to assume they will contain Uppercase/Lowercase/Numbers and or : and .

I've tried all sorts and I can't extract Nest-C256.Ourhouse from the case above, I've tried the following with no result:

Base Search .... | rex "argv[2]s=\s(?.[a-z A-Z,-,.]+)"

What I'd like is a table with a count against each hostname

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2018 10:27 AM

Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

northwarks
Engager
‎03-04-2018 11:25 AM

Guys - Thanks for the quick response for anyone else searching for the same the following worked a treat:

rex "argv[2]\s=\s(?.[\w-.]+)" | stats count by host_value

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2018 10:27 AM

Your regular expression is close, but needs a few escapes. Try argv\[2\]\s\=\s(?<Host>.[\w\-\.]+).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-04-2018 10:15 AM

Try this 

index=... sourcetype=...
| rex argv\[\d+\]\s=\s(?<host_value>\S+)
| stats count by host_value
Reply
Solved! Jump to solution

northwarks
Engager
‎03-04-2018 11:26 AM

This looked like the bit I was struggling with _argv[2]\s_ but thanks for the additional bits

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-04-2018 12:11 PM

This works exactly as expected, I'm not sure why you skipped over this..

0 Karma
Reply
Solved! Jump to solution

northwarks
Engager
‎03-05-2018 11:42 AM

You are right it worked however I was looking to only return those values following 'argv[2] =' and not 'argv' - Both worked I accepted the one which narrowed down my search - I did however use elements from both posts !

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-05-2018 11:46 AM

Brush up on your regex.. argv\[\d+\]\s=\s(?<host_value>\S+) applies to argv[2] = perfectly

Feel free to upvote if my answer helped you

0 Karma
Reply
Solved! Jump to solution

northwarks
Engager
‎03-05-2018 12:14 PM

regex is my weak point plus new to Splunk .. I totally see the issue here d+ meaning any digit - The issue was it was returning values for multiple argv[1..2..3..4..5] etc.

Upvoted as you did help

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...