Splunk Search

Odd or even host

johnmca
Explorer

My company has a server naming convention that specifies a number Server01 Server02 Server03 Server04 -> Server100

How would i go about creating a search that would show events from Odd or Even numbered host names only?

Thanks

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

There may be a better way, but this will work.

my_search_terms | rex field=host "Server(?<hostdigit>\d+)" | eval oddhost=hostdigit % 2 | where oddhost=1

Oddhost will be set to 0 or 1 depending on whether the host id is odd or even.


Another approach that appears to work could be done with eventtypes. You would define two eventtypes, one for "oddhost" and one for "evenhost", similar to this, in eventtypes.conf:

[oddhost]
search = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" )

[evenhost]
search = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" )

More info on eventtypes at http://www.splunk.com/base/Documentation/latest/Knowledge/Abouteventtypes


Given Gerald's recommendation of a macro, you can do something like this in macros.conf:

[evenhost]
definition = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" )

[oddhost]
definition = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" )

http://www.splunk.com/base/Documentation/latest/Admin/Macrosconf

http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

There may be a better way, but this will work.

my_search_terms | rex field=host "Server(?<hostdigit>\d+)" | eval oddhost=hostdigit % 2 | where oddhost=1

Oddhost will be set to 0 or 1 depending on whether the host id is odd or even.


Another approach that appears to work could be done with eventtypes. You would define two eventtypes, one for "oddhost" and one for "evenhost", similar to this, in eventtypes.conf:

[oddhost]
search = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" )

[evenhost]
search = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" )

More info on eventtypes at http://www.splunk.com/base/Documentation/latest/Knowledge/Abouteventtypes


Given Gerald's recommendation of a macro, you can do something like this in macros.conf:

[evenhost]
definition = ( host="Server*0" OR host="Server*2" OR host="Server*4" OR host="Server*6" OR host="Server*8" )

[oddhost]
definition = ( host="Server*1" OR host="Server*3" OR host="Server*5" OR host="Server*7" OR host="Server*9" )

http://www.splunk.com/base/Documentation/latest/Admin/Macrosconf

http://www.splunk.com/base/Documentation/latest/User/CreateAndUseSearchMacros

gkanapathy
Splunk Employee
Splunk Employee

The macro will possibly be a bit faster than using rex, but you should try them both a few times, then use the Search Inspector to see which goes faster. Be sure to turn off "Field Discovery" when benchmarking.

gkanapathy
Splunk Employee
Splunk Employee

I would recommend using a macro instead of an eventtype in this case. Defining the eventtype will make searches slower, as the eventtype not only expands the search, but then all results are checked against the list of possible eventtypes for a match. Using a macro will just expand the search terms, without doing the typing on the results.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...