Hi all, we have around 8 dashboards fetching data from same index. There are around 150 hosts with this index, but we don't want to see the data from particular 50 hosts in a dashboard. how this can be done???Any inputs on this please???
Hi @Ash1 ,
if you need to exclude many hosts (like 509 from your search the best solution is the one from @burwell : a lookup containing the host list.
If instead they are three or four, you can also insert them in each search or create a macro to excude them.
Ciao.
Giuseppe
If you always want to ignore the same hosts each time, you could create a lookup file with names of the hosts and use a search as described in this post: https://community.splunk.com/t5/Splunk-Search/How-to-search-for-all-IP-s-not-in-a-lookup-table/m-p/3...Something like
index=myindex NOT [|inputlookup mylookup.csv | fields host]
