- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is a shorthand way to reference a fixed list ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're using Spunk in a Windows domain that has hundreds of computers. There is a fixed subset of computers that I want to keep an eye on using events available from Splunk indexes. These indexes contain data from all computers in the domain. I want to write queries that return events only from my subset, but I don't want to have to filter on my subset for each query I write, e.g., I don't want to have to do this:
index=foo host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" .....
Is there a way to make a list of the names of the fixed subset of computers that I can reference when doing any search, e.g.,
index=foo host="myComputerList" .....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess there are two main options:
1: Store the host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" ..... into a search macro. So you can then write your search as:
index= foo `host_filter_macro`
More info on search macros: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros
2: Store the list of hosts into a lookup, and write your search with a subsearch like this:
index=foo [| inputlookup hostlist]
More info on subsearches: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess there are two main options:
1: Store the host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" ..... into a search macro. So you can then write your search as:
index= foo `host_filter_macro`
More info on search macros: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros
2: Store the list of hosts into a lookup, and write your search with a subsearch like this:
index=foo [| inputlookup hostlist]
More info on subsearches: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Store the list of hosts in an eventtype.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes
[special_hosts]
search = ( index=foo host="bar1" OR host="bar2" OR host="bar3" OR host="bar4" OR host="bar5" OR host="bar6" OR host="bar7" OR host="bar8" )
then just search
eventtype=special_hosts
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
