https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/532962#M3750 <P>Hello All:</P> <P>&nbsp;</P> <P>Our host_names are formatted the same across our fleet.&nbsp; I'd like to pull out the 5-8 characters in the hostname.&nbsp; We've tried using trim, ltrim and rtrim, and even with them nested.&nbsp; Any suggestions?</P> <P>&nbsp;</P> <P>In this example&nbsp;WX260920162Q2R</P> <P>we want to pull out 0920.</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 02 Mar 2023 15:09:40 GMT Brad.Herbert 2023-03-02T15:09:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/532962#M3750 <P>Hello All:</P> <P>&nbsp;</P> <P>Our host_names are formatted the same across our fleet.&nbsp; I'd like to pull out the 5-8 characters in the hostname.&nbsp; We've tried using trim, ltrim and rtrim, and even with them nested.&nbsp; Any suggestions?</P> <P>&nbsp;</P> <P>In this example&nbsp;WX260920162Q2R</P> <P>we want to pull out 0920.</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 02 Mar 2023 15:09:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/532962#M3750 Brad.Herbert 2023-03-02T15:09:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/533006#M3753 <P data-unlink="true">Hi Brad.Herbert,<BR /><BR />If I understand correctly you are wanting to extract these 5-8 characters from the hostname to populate a new field? If that is the case, you can use the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/arrayindex" target="_self"><EM>arrayindex</EM></A> and <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/arrayindex" target="_self"><EM>regextract</EM></A> functions&nbsp;together to accomplish this. The regextract function takes a string (in this case the endpoint_name field) followed by a regex to match on the characters you are wanting to extract. In my example below, "WX(\w{5,8})" is the regex, where the function will look for WX followed by 5-8 word characters (letters or numbers), and will <U>only capture the pattern that is contained in the parenthesis</U> (the 5-8 word characters that follow "WX"). You could also specify a non-capturing pattern that has to match at the end of the regex as well by including it outside of the closing parenthesis and inside the closing double quotation, such as&nbsp;"WX(\w{5,8})YZ" if you want to capture the 5-8 word characters ONLY when they are preceded by "WX" and followed by "YZ".&nbsp;<BR />The <EM>regextract</EM> function will return an array of all of the patterns that it matched on, and in this case it may be fine to use this function on its own since it is unlikely to have multiple pattern matches from a single endpoint name, but this function is commonly used in combination with the <EM>arrayindex</EM> function, which accepts an array (in this case it is the output from our <EM>regextract</EM> function) and a specified array position, and returns the corresponding value. Arrays are 0-based, meaning when we specify an array position of 0, we are telling the function to return the first value in the array.<BR /><BR /><BR />| alter new_field = arrayindex(regextract(endpoint_name, "WX(\w{5,8})"), 0)</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Regards,<BR />Ben</P> Thu, 02 Mar 2023 20:02:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/533006#M3753 bbucao 2023-03-02T20:02:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/533021#M3754 <P>Thanks Ben, we ended up going this route shortly after I posed the question.&nbsp; Thanks for the response!</P> Thu, 02 Mar 2023 21:27:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-get-characters-from-host-name/m-p/533021#M3754 Brad.Herbert 2023-03-02T21:27:52Z