topic Re: hosts with certain criteria (simplified REGEX) in Splunk Search

hosts with certain criteria (simplified REGEX)

Noorzaie — Mon, 28 Sep 2020 20:21:22 GMT

I want to pull data for certain HOSTs in my index. For example:
(host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 .. ) - servers with ODD or EVEN numbers.

Appreciate the help.

Re: hosts with certain criteria (simplified REGEX)

woodcock — Tue, 23 Jun 2015 18:36:17 GMT

Try this:

... | where match(host, ".*[13579]$")

Or this:

... | eval evenOrOdd = if(match(host, ".*[13579]$"), "ODD", "EVEN") | where evenOrOdd="ODD"

Re: hosts with certain criteria (simplified REGEX)

Noorzaie — Tue, 23 Jun 2015 18:47:36 GMT

I would like to specifically include only HOSTs with *pr1p0[02468] or *pr1p0[13579]

Re: hosts with certain criteria (simplified REGEX)

richgalloway — Tue, 23 Jun 2015 18:54:22 GMT

How is that different from 'host=*pr1p0[0-9]'? What exactly are you trying to accomplish?

Re: hosts with certain criteria (simplified REGEX)

Noorzaie — Tue, 23 Jun 2015 19:03:59 GMT

My objective is to query against the hosts whose names end with ODD numbers but begins with *pr1p.

Thanks.

Re: hosts with certain criteria (simplified REGEX)

richgalloway — Tue, 23 Jun 2015 19:10:22 GMT

I'm confused by your stated desire to include hosts that end with '[02468]', but woodcock's first suggestion should do the job.

... | where match(host, ".*pr1p0[13579]$")

Re: hosts with certain criteria (simplified REGEX)

martin_mueller — Tue, 23 Jun 2015 19:24:30 GMT

If you really only have five matching hosts in each group then I'd strongly recommend tagging each host with either odd or event and searching like this:

index=yourindex tag::host=odd | ...

If this is just a simple example for a more complex or even unknown list of hosts then tagging is not going to work. For performance reasons I'd advise this slightly more complicated solution:

index=yourindex [tstats count where index=yourindex AND host=*pr1p0* by host | where match(host, "pr1p0[13579]$") | fields host] | rest of the search pipeline

That will generate a tailored search filter for Splunk to only look at matching hosts' events. With the late |where in the other suggestions Splunk has to load events from non-matching hosts, process them, and then discard them again. Sloooow.

Re: hosts with certain criteria (simplified REGEX)

woodcock — Tue, 23 Jun 2015 19:30:13 GMT

OK, I think you are looking for this:

... regex host=".*\d+$"

But really we can't say for sure because your question and followup comments are SO contradictory and unclear. You definitely need the regex host= command but until you can be PERFECTLY CLEAR about what you are trying to match, we cannot help you. The regex in my solution matches any host that ends in a digit.

Re: hosts with certain criteria (simplified REGEX)

Noorzaie — Mon, 28 Sep 2020 20:21:24 GMT

Let me try to to explain one more time 😉
I have this query:
index=my-ndx "some criteria" (host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 OR host=*pr1p07 OR host=*pr1p09 OR host=*pr1p11) | stats pipeline

My list of hosts is growing and there are other hosts that i don't want to include (hence the criteria), so instead of adding the additional hosts to the OR criteria, can I use regex or similar to get data with only hosts matching this criteria?

thanks,

Re: hosts with certain criteria (simplified REGEX)

aljohnson_splun — Tue, 23 Jun 2015 20:26:08 GMT

Does @woodcock's first answer, | where match(host, ".*[13579]$") not work ?

Re: hosts with certain criteria (simplified REGEX)

Noorzaie — Mon, 28 Sep 2020 20:21:30 GMT

No, it returns hosts outside the criteria "*pr1p". I want only hosts with "*pr1p01", "*pr1p03" and so forth.

Re: hosts with certain criteria (simplified REGEX)

aljohnson_splun — Tue, 23 Jun 2015 20:32:49 GMT

So you just need | where match(host, ".*pr1p[13579]$") ?

Re: hosts with certain criteria (simplified REGEX)

aljohnson_splun — Tue, 23 Jun 2015 21:53:56 GMT

Your second search is, as us kids say, "money".

Re: hosts with certain criteria (simplified REGEX)

martin_mueller — Tue, 23 Jun 2015 21:56:46 GMT

I'll send you my paypal 😛

Re: hosts with certain criteria (simplified REGEX)

Noorzaie — Mon, 28 Sep 2020 20:20:45 GMT

thank you all for your inputs. I think this will work but I will ask Martin if this will filter out the hosts on the first pass.

index=foo (host=*pr1p*1 OR host=*pr1p*3 OR host=*pr1p*5 OR host=*pr1p*7 OR host=*pr1p*9) | ...

Re: hosts with certain criteria (simplified REGEX)

woodcock — Tue, 23 Jun 2015 22:10:26 GMT

See my latest answer regarding eventtypes (immediately forthcoming)...

Re: hosts with certain criteria (simplified REGEX)

martin_mueller — Tue, 23 Jun 2015 22:17:45 GMT

This will work as long as you have no host called pr1pfoo1 that's not supposed to be matched. Regex'ing for digits would filter it out, this wildcard would not.

Re: hosts with certain criteria (simplified REGEX)

woodcock — Tue, 23 Jun 2015 22:18:46 GMT

Given this clarification:

My list of hosts is growing and there are other hosts that i don't want to include (hence the criteria), so instead of adding the additional hosts to the OR criteria, can I use regex or similar to get data with only hosts matching this criteria?

I assume your concern is housekeeping, not complexity nor filtering, per se. If so, then the solution is to create an eventtype and make sure that all of your users and searches use it like this:

eventtype=SpecialHosts ...

Then you modify this ONE definition in ONE place ( eventtypes.conf ) as often as needed and when you save it, INSTANTLY everything else is updated:

[SpecialHosts]
index=my-ndx "some criteria" (host=*pr1p01 OR host=*pr1p03 OR host=*pr1p05 OR host=*pr1p07 OR host=*pr1p09 OR host=*pr1p11)

Re: hosts with certain criteria (simplified REGEX)

woodcock — Tue, 07 Jul 2015 05:10:50 GMT

Did this work?

Re: hosts with certain criteria (simplified REGEX)

bjcross — Thu, 12 Sep 2019 17:28:17 GMT

also syntax is host_regex instead of regex host

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf