https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65426#M16245 <P>I would recommend using a macro instead of an eventtype in this case. Defining the eventtype will make searches slower, as the eventtype not only expands the search, but then all results are checked against the list of possible eventtypes for a match. Using a macro will just expand the search terms, without doing the typing on the results.</P> Wed, 23 Mar 2011 05:16:51 GMT gkanapathy 2011-03-23T05:16:51Z https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65424#M16243 <P>My company has a server naming convention that specifies a number Server01 Server02 Server03 Server04 -&gt; Server100</P> <P>How would i go about creating a search that would show events from Odd or Even numbered host names only?</P> <P>Thanks</P> Wed, 23 Mar 2011 03:36:53 GMT https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65424#M16243 johnmca 2011-03-23T03:36:53Z https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65425#M16244 <P>There may be a better way, but this will work.</P> <PRE><CODE>my_search_terms | rex field=host "Server(?&lt;hostdigit&gt;\d+)" | eval oddhost=hostdigit % 2 | where oddhost=1 </CODE></PRE> <P>Oddhost will be set to 0 or 1 depending on whether the host id is odd or even.</P> <P></P><HR /><P></P> <P>Another approach that appears to work could be done with eventtypes. You would define two eventtypes, one for "oddhost" and one for "evenhost", similar to this, in eventtypes.conf:</P> <PRE><CODE>[oddhost] search = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" ) [evenhost] search = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" ) </CODE></PRE> <P>More info on eventtypes at <A href="http://www.splunk.com/base/Documentation/latest/Knowledge/Abouteventtypes" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Knowledge/Abouteventtypes</A></P> <P></P><HR /><P></P> <P>Given Gerald's recommendation of a macro, you can do something like this in macros.conf:</P> <PRE><CODE>[evenhost] definition = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" ) [oddhost] definition = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" ) </CODE></PRE> <P><A href="http://www.splunk.com/base/Documentation/latest/Admin/Macrosconf" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Macrosconf</A></P> <P><A href="http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros" rel="nofollow">http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros</A></P> Wed, 23 Mar 2011 04:09:02 GMT https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65425#M16244 dwaddle 2011-03-23T04:09:02Z https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65426#M16245 <P>I would recommend using a macro instead of an eventtype in this case. Defining the eventtype will make searches slower, as the eventtype not only expands the search, but then all results are checked against the list of possible eventtypes for a match. Using a macro will just expand the search terms, without doing the typing on the results.</P> Wed, 23 Mar 2011 05:16:51 GMT https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65426#M16245 gkanapathy 2011-03-23T05:16:51Z https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65427#M16246 <P>The macro will possibly be a bit faster than using rex, but you should try them both a few times, then use the Search Inspector to see which goes faster. Be sure to turn off "Field Discovery" when benchmarking.</P> Wed, 23 Mar 2011 05:19:00 GMT https://community.splunk.com/t5/Splunk-Search/Odd-or-even-host/m-p/65427#M16246 gkanapathy 2011-03-23T05:19:00Z