- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need some help on the syntax of wildcards in the search. I have multiple servers and I don't want to keep using OR. For example I have "server01" through "server21" and I sometimes want to just pull out results for server3 through server6.
In Linux I can specify server0[3-6]. What is the Splunk equivalent?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1b197/1b197b09c45bbfae72b1198f045addd16a8a2cdb" alt="lguinn2 lguinn2"
There is no equivalent in Splunk, sorry.
However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search
tag=Singapore
It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.
Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ
The documentation is here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Lisa's answer is a good approach.
Another way to solve this in the search language is to use the regex command.
Note, the base search pulls all events BEFORE regex has a chance to filter results, so it is important to make the base search as specific as possible. An example using above requirements:
host=server0* | regex host="server0[3-6]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1b197/1b197b09c45bbfae72b1198f045addd16a8a2cdb" alt="lguinn2 lguinn2"
Good point. I use regex
a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1b197/1b197b09c45bbfae72b1198f045addd16a8a2cdb" alt="lguinn2 lguinn2"
There is no equivalent in Splunk, sorry.
However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search
tag=Singapore
It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.
Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ
The documentation is here
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""