https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199523#M57778 <P>You are looking for mac - wait for it - ros! Macros!</P> <P>You can define them in either macros.conf or via the UI.</P> <P>Put your host list (as a search string) in the macro (we'll call it <CODE>tv_host_list</CODE>). </P> <PRE><CODE>host=TV-host1 OR host=TV-host2 OR ...... </CODE></PRE> <P>Then reference the macro in any other search.</P> <PRE><CODE>earliest=-1d@d `tv_host_list` | do other things here. </CODE></PRE> <P>And here's a doc for you: <CODE><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/UseSearchMacros" target="test_blank">http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/UseSearchMacros</A></CODE></P> <P>Find us on IRC! Efnet channel #splunk! Live help (and maybe some trout slapping!)! <STRONG>not officially official help - customers and such</STRONG></P> Fri, 10 Jan 2014 14:30:28 GMT alacercogitatus 2014-01-10T14:30:28Z https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199522#M57777 <P>Hi:<BR /> We have a bunch of searches that are being run against a specific set of hosts (we'll say:</P> <P>TV-host1, TV-host2, TD-host1, TD-host2</P> <P>i want a way to run a set of saved searches against a list of hosts specified in another saved search.</P> <P>I currently am doing this in the following method:</P> <P>savedsearch1:<BR /> host="T*-host*"</P> <P>saved searches that use this:<BR /> | savedsearch1 | rest of query</P> <P>I realize that this is extremely inefficient because it pulls all the logs for those hosts, then narrows down the results from there.</P> <P>Is there a way to take the actual search syntax from a saved search and apply it to another search inline? </P> <P>The reason I'm asking this is because I want some saved searches set so that it queries against specific hosts, and if we have a new naming standard, then all I need to do is modify the search that handles the hostnames, rather than modifying 25 other searches and modifying the host syntax on those.</P> <P>Another question I have, is there a way to narrow down hostname based on a regex, rather than the any character *?</P> <P>Such as T*-host[0-9]*</P> <P>So that would find TV-host1, but not TV-hoster2?</P> <P>We have a couple of hosts that are named similar, and it is confusing some of the saved searches we have.</P> <P>Thanks for any assistance you could provide</P> <P>-Jeff</P> Mon, 28 Sep 2020 15:37:52 GMT https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199522#M57777 raidercom 2020-09-28T15:37:52Z https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199523#M57778 <P>You are looking for mac - wait for it - ros! Macros!</P> <P>You can define them in either macros.conf or via the UI.</P> <P>Put your host list (as a search string) in the macro (we'll call it <CODE>tv_host_list</CODE>). </P> <PRE><CODE>host=TV-host1 OR host=TV-host2 OR ...... </CODE></PRE> <P>Then reference the macro in any other search.</P> <PRE><CODE>earliest=-1d@d `tv_host_list` | do other things here. </CODE></PRE> <P>And here's a doc for you: <CODE><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/UseSearchMacros" target="test_blank">http://docs.splunk.com/Documentation/Splunk/6.0.1/Search/UseSearchMacros</A></CODE></P> <P>Find us on IRC! Efnet channel #splunk! Live help (and maybe some trout slapping!)! <STRONG>not officially official help - customers and such</STRONG></P> Fri, 10 Jan 2014 14:30:28 GMT https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199523#M57778 alacercogitatus 2014-01-10T14:30:28Z https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199524#M57779 <P>That is exactly what I am looking for.<BR /> Thank you!</P> Fri, 10 Jan 2014 15:52:12 GMT https://community.splunk.com/t5/Splunk-Search/Query-against-a-list-of-computers/m-p/199524#M57779 raidercom 2014-01-10T15:52:12Z