In the filter expression window (when performing data captures), how would I filter for hosts that have DHCP anywhere in the hostname?

sdinthenorth · April 27, 2022, 12:15pm

The equivalent to running host= * DHCP * in Splunk.

JonRust · April 27, 2022, 12:57pm

IF the data contains a host field, you can use the match method:

host.match(/dhcp/i)

If the host name is in the _raw string, sub _raw for host in the above.