How can I search for the field host with multiple ...

ddrillic · ‎09-26-2018

We ended up with an operation index that has two hosts per event, let's say aaa and bbb.
Searching for index=shortland host=aaa brings results but index=shortland host=bbb does not.

What can it be?

woodcock · ‎04-06-2019

If that search does not work, then your host field does really have both values. We will never get to the bottom of this unless you post an event. and your props.conf settings.

harishalipaka · ‎09-26-2018

Hi @ddrillic

H can achieve with OR ,IN
EG:- host=aaa or host=bbb

host in ("aaa","bbb")

If my answer helped please accept answer or up vote

Thanks
Harish

ddrillic · ‎09-26-2018

Thank you @harishalipaka.

richgalloway · ‎09-26-2018

Can you share a sample (sanitized) event, please?

---
If this reply helps you, Karma would be appreciated.

ddrillic · ‎09-26-2018

No worries - speaking with the sales engineer who explained that one host value was indexed at index time and another one was discovered at search time. Apparently, only the index time value is searchable when searching against the host field.

ddrillic · ‎04-06-2019

For the record, a similar case at How to handle search query when json data has host field?

How can I search for the field host with multiple values?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!