I have 25 servers with the same prefix name and suffixed with different number host 1, host2 ., ......, host_25.
How do you write a search to spool only the servers names from host11 up to host23? Instead of using the exclude operator (!=) on the hosts you don't need.
index=* counter="*" Host="host _1*" | eval Value = round(Value,1)| timechart span=5m first(Value) by host
Something like this?
index=* counter="*" (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart span=5m first(Value) by host
Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this
index= index=* counter="*" [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ] | eval Value = round(Value,1)| timechart span=5m first(Value) by host
The subsearch will dynamically generate a OR condition as
Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23
. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).
Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!
I saw someone else do this before was a bit surprised it even worked.
index= index=* counter="*" (host=host_1* OR host=host_2*) (host >= host_1 AND host <= host_25) | eval Value = round(Value,1)| timechart span=5m first(Value) by host