https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268261#M80688 <P>I'm using splunk in HPC use cases that can span hundreds or even thousands of machines contiguously or potentially in segmented ranges. Although we have a convention, I find it hard at times to scope searches over a complete desired range of a given condition.</P> <P>I would like to be able to do something like:</P> <P>host=host[0001-0877,0899,1300-2350] but that doesn't seem to work. Is there another way to kind of dynamically scope ranges like this? I say dynamic because it isn't, and almost never will, be the exact same range per circumstance.</P> Wed, 09 Dec 2015 15:44:53 GMT mjones414 2015-12-09T15:44:53Z https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268261#M80688 <P>I'm using splunk in HPC use cases that can span hundreds or even thousands of machines contiguously or potentially in segmented ranges. Although we have a convention, I find it hard at times to scope searches over a complete desired range of a given condition.</P> <P>I would like to be able to do something like:</P> <P>host=host[0001-0877,0899,1300-2350] but that doesn't seem to work. Is there another way to kind of dynamically scope ranges like this? I say dynamic because it isn't, and almost never will, be the exact same range per circumstance.</P> Wed, 09 Dec 2015 15:44:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268261#M80688 mjones414 2015-12-09T15:44:53Z https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268262#M80689 <P>This isn't a great answer but you could do something like this in the immediate term</P> <PRE><CODE>host=host* sourcetype=foo | rex field=host "\w+(?&lt;host_num&gt;\d+)" | search host_num &gt; 877 .... </CODE></PRE> <P>You could also bake the field extraction into your configs like this so the field is there for searching prior to the first pipe. One of the issues with the above is that it will return all of the events and then strip out those you don't want which isn't efficient.</P> <P>Props</P> <PRE><CODE>[foo] EXTRACT-foo_host_num = \w+(?&lt;host_num&gt;\d+) in host </CODE></PRE> <P>Beyond that I'm curious if anyone else has a different solution to this as I'd be interested as well!</P> Wed, 09 Dec 2015 16:18:58 GMT https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268262#M80689 Runals 2015-12-09T16:18:58Z https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268263#M80690 <P>Define a macro like this:</P> <PRE><CODE>[filter_range(4)] args = field,prefix,from,to definition = [localop | stats count | eval count = mvrange($from$,$to$) | mvexpand count | eval $field$ = "$prefix$".count | fields $field$] errormsg = oops! iseval = 0 validation = isnum(from) AND isnum(to) </CODE></PRE> <P>Then search like this:</P> <PRE><CODE>`filter_range(host,foo,100,200)` OR `filter_range(host,foo,900,950)` </CODE></PRE> <P>Each call to the macro will generate a list of <CODE>host=foo100</CODE> to <CODE>host=foo200</CODE> (exclusive) OR'd together, by default limited to 10000 rows per subsearch. If you need zero-prefixes you will need to do a bit of formatting in the <CODE>eval</CODE>, and maybe add a fifth argument to tell how wide your number should be... or just add the 0 to the prefix.</P> Wed, 09 Dec 2015 17:36:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-search-deal-with-bracket-expansions/m-p/268263#M80690 martin_mueller 2015-12-09T17:36:35Z