Solved: Re: How to use Regex to trim the field?

kiran331 · ‎04-10-2018

Hi, I have a field with DNS names, how to extract a host name from them?

for example,

abc123.ab.com
aca12.ba.xy.com

output i need

abc123
aca12

DalJeanis · ‎04-10-2018

One way is

| rex field=mydnsfield "^(?<hostname>[^.]+)"

That will get everything that isn't a period, from the beginning, up to but not including the first period.

View solution in original post

DalJeanis · ‎04-10-2018

One way is

| rex field=mydnsfield "^(?<hostname>[^.]+)"

That will get everything that isn't a period, from the beginning, up to but not including the first period.

adonio · ‎04-10-2018

give this a try:
... | rex (?<field1>\w+)\.(?<field2>\w+)\.(?<field3>\w+)
https://regex101.com/r/uWt0Mf/1

hope it helps

DalJeanis · ‎04-10-2018

@adonio - (1) That's going to fail if any of the host names don't have three or more nodes. You should probably make the last one optional. (2) What's the purpose of the final .?

adonio · ‎04-10-2018

Thanks @DalJeanis!
wanted to demonstrate flexibility in case s/he needs more fields extracted
as always, great comments, appreciate it!
i guess the . implies i am writing more in my journal lately and i am trying to end a sentence with a .
edited the answer

How to use Regex to trim the field?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk