Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

idab
Path Finder
‎09-04-2015 01:25 PM

Hi,

I have 25 servers with the same prefix name and suffixed with different number host _1, host_2 ., ......, host_25.

How do you write a search to spool only the servers names from host_11 up to host_23? Instead of using the exclude operator (!=) on the hosts you don't need.

index=* counter="*"  Host="host _1*"    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2015 01:34 PM

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

cramasta
Builder
‎09-10-2015 10:08 PM

I saw someone else do this before was a bit surprised it even worked. 

index= index=* counter="*"   (host=host_1* OR  host=host_2*)  (host >= host_1 AND host <= host_25)  | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎09-08-2015 06:02 PM

Hi @idab

Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-04-2015 02:29 PM

Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this

index= index=* counter="*"  [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ]    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host

The subsearch will dynamically generate a OR condition as 

Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23

. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).

Reply
Solved! Jump to solution

idab
Path Finder
‎09-08-2015 08:45 AM

Thanks somesoni2

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2015 01:34 PM

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

idab
Path Finder
‎09-08-2015 08:45 AM

Thanks richgallowway!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...