Splunk Search
Highlighted

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Hi,

I have 25 servers with the same prefix name and suffixed with different number host 1, host2 ., ......, host_25.

How do you write a search to spool only the servers names from host11 up to host23? Instead of using the exclude operator (!=) on the hosts you don't need.

index=* counter="*"  Host="host _1*"    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

SplunkTrust
SplunkTrust

Something like this?

index=* counter="*"  (Host="host_1*" OR Host="host_2*") | rex field=Host "host_(?<suffix>\d+)" | where suffix>10 AND suffix < 24 | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Thanks richgallowway!

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

SplunkTrust
SplunkTrust

Assuming that your host name have same name with suffix as number (1,2,3...24,25) no left padding, try something like this

index= index=* counter="*"  [| gentimes start=-1 | eval Host=mvrange(11,24) | table Host | mvexpand Host | eval Host="YourHostSuffix_".Host ]    | eval Value = round(Value,1)| timechart  span=5m first(Value) by host

The subsearch will dynamically generate a OR condition as

Host=YourHostSuffix_11 OR Host=YourHostSuffix_12 OR.... OR Host=YourHostSuffix_23

. The only thing you need to provide is the suffix (YourHostSuffix above) and start index (11 in mvrange command) and End range (end range+1 =24 in mvrange).

Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Path Finder

Thanks somesoni2

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Community Manager
Community Manager

Hi @idab

Be sure to accept the answer that solved your question best, otherwise this will appear to other users as unresolved. Thanks!

Patrick

0 Karma
Highlighted

Re: If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

Builder

I saw someone else do this before was a bit surprised it even worked.

index= index=* counter="*"   (host=host_1* OR  host=host_2*)  (host >= host_1 AND host <= host_25)  | eval Value = round(Value,1)| timechart  span=5m first(Value) by host
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.