Splunk Search

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Hi,

I have 25 servers with the same prefix name and suffixed with different number host 1, host2 ., ......, host_25.

How do you write a search to spool only the servers names from host11 up to host23? Instead of using the exclude operator (!=) on the hosts you don't need.

index=* counter="*"  Host="host _1*"    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

SplunkTrust
SplunkTrust

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Thanks richgallowway!

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

SplunkTrust
SplunkTrust

Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this

index= index=* counter="*"  [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ]    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host

The subsearch will dynamically generate a OR condition as

Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23

. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).

Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Thanks somesoni2

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Community Manager
Community Manager

Hi @idab

Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!

Patrick

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Builder

I saw someone else do this before was a bit surprised it even worked.

index= index=* counter="*"   (host=host_1* OR  host=host_2*)  (host >= host_1 AND host <= host_25)  | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
0 Karma