How to get the domain name from a fully qualified hostname via GROK

aolvikash · October 28, 2019, 9:04am

How to get the domain name from a fully qualified hostname via GROK.

I have used the pipeline to extract a couple of details from filebeat and getting one of the fields as hostname, needs to fetch the domain name from a fully qualified hostname.

Here are a couple of examples:

Fully qualified hostname could be:

host1.co.us
host2.ins.co.uk
host3.ar.uk.local

The domain name for the above hostname should be as follows:

co.us
ins.co.uk
ar.uk.local

Thanks for your help in advance.

Michael_Madden · October 28, 2019, 2:18pm

Hello,

Thanks for reaching out. Just to clarify, are you using a logstash pipeline? If so would a grok pattern like the following work to break up the host name and domain name?

%{DATA:host}\.%{GREEDYDATA:domain}

Thanks.

aolvikash · October 28, 2019, 2:25pm

Thanks a lot Michael. It works exactly what i need.

Have a great day !!

aolvikash · October 29, 2019, 7:52am

Hi,

I have tried the above pattern in GROK debugger and it is working fine however when adding as ELK via dev toll then getting error on tild slice before dot "%{DATA:host}\.%{GREEDYDATA:domain}" any suggestion could be really helpfull.

aolvikash · October 29, 2019, 9:07am

No worries, I have resolved the above issue !! Thanks for checking.

system · November 26, 2019, 9:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split FQDN Logstash	3	899	March 9, 2021
How to match IP address to hostname without dns [Solved] Logstash	6	18987	July 6, 2017
Grok filter add_field Logstash	6	2080	May 19, 2020
Grokking DNS entries/hostnames with underscores - less expensive pattern? Logstash	1	558	April 22, 2019
How can I drop the domain from host.name field in logstash? Logstash	4	582	April 9, 2021

How to get the domain name from a fully qualified hostname via GROK

Related topics