https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42722#M10009 <P>You can also use the regex command to pipe a field through a regular expression. </P> <P>For example: </P> <P>index=bro sourcetype=bro_conn <BR /> | regex dest_ip="/(^127.)|(^192.168.)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^::1$)|(^[fF][cCdD])/"</P> Tue, 29 Sep 2020 22:21:28 GMT bliscuit 2020-09-29T22:21:28Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42714#M10001 <P>How would I search multiple hosts with one search string?</P> <P>I have 6 hosts and want the results for all:</P> <P>Search String:</P> <PRE><CODE>index="rdpg" ( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="") | eval disconnect_time=if(match(_raw,"2222222"),_time,null()) | eval connect_time=if(match(_raw,"1111111"),_time,null()) | eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral) | eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral) | stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" max(dest_ip) as "Destin ip" by Ephemeral | eval Seconds=Disconnect-Connect | fieldformat Seconds=strftime('Seconds', "%s") | eval "Total Time"=tostring(Seconds,"duration") | where Seconds &gt; 300 | search Connect=* Disconnect=* | appendpipe [stats sum(Seconds) as "Total Seconds" ] | convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect) </CODE></PRE> <P>Hosts= Srv004 Srv005 Srv181 Srv192 Srv142 Srv181</P> Mon, 25 Feb 2013 19:28:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42714#M10001 Xe03kfp 2013-02-25T19:28:15Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42715#M10002 <P>AND operators could help in this situation</P> <P>host="srv004" AND host="srv005" AND .....</P> Mon, 25 Feb 2013 19:33:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42715#M10002 herkalurk 2013-02-25T19:33:10Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42716#M10003 <P>Didn't work</P> Mon, 25 Feb 2013 19:35:17 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42716#M10003 Xe03kfp 2013-02-25T19:35:17Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42717#M10004 <P>Sorry, I should have said OR ...</P> <P>host="srv004" OR host="srv005" OR .....</P> Mon, 25 Feb 2013 19:49:29 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42717#M10004 herkalurk 2013-02-25T19:49:29Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42718#M10005 <P>If you were to do that report on each host individually, in the time frame you're searching, you got results from each host? I only want to make sure that the fact you're only seeing 2 hosts isn't because the others don't have data.</P> Mon, 25 Feb 2013 20:46:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42718#M10005 herkalurk 2013-02-25T20:46:05Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42719#M10006 <P>How could you use wildcards in server name to get groups of host without typing each one in?</P> Fri, 07 Aug 2015 15:56:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42719#M10006 msackett 2015-08-07T15:56:22Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42720#M10007 <P>host="srv00*"</P> Thu, 22 Dec 2016 19:50:24 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42720#M10007 hari2139 2016-12-22T19:50:24Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42721#M10008 <P>host=srv00* will give all hosts matching the wildcard.</P> Wed, 18 Jan 2017 00:32:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42721#M10008 prabhu77749 2017-01-18T00:32:53Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42722#M10009 <P>You can also use the regex command to pipe a field through a regular expression. </P> <P>For example: </P> <P>index=bro sourcetype=bro_conn <BR /> | regex dest_ip="/(^127.)|(^192.168.)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^::1$)|(^[fF][cCdD])/"</P> Tue, 29 Sep 2020 22:21:28 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42722#M10009 bliscuit 2020-09-29T22:21:28Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42723#M10010 <P>Thanks! This helped. </P> Tue, 29 Jan 2019 14:57:32 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/42723#M10010 ryhluc01 2019-01-29T14:57:32Z https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/696332#M236666 <P>should use OR condition to include all hosts....host="srv004" OR host="srv005" OR</P> Thu, 15 Aug 2024 01:33:23 GMT https://community.splunk.com/t5/Splunk-Search/Search-multiple-hosts-with-one-search-string/m-p/696332#M236666 rammeduru 2024-08-15T01:33:23Z