Splunk Search

Wildcards in search

mdavis43
Path Finder

I need some help on the syntax of wildcards in the search. I have multiple servers and I don't want to keep using OR. For example I have "server01" through "server21" and I sometimes want to just pull out results for server3 through server6.

In Linux I can specify server0[3-6]. What is the Splunk equivalent?

1 Solution

lguinn2
Legend

There is no equivalent in Splunk, sorry.

However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search

tag=Singapore

It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.

Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ

The documentation is here

View solution in original post

bwooden
Splunk Employee
Splunk Employee

Lisa's answer is a good approach.

Another way to solve this in the search language is to use the regex command.

Note, the base search pulls all events BEFORE regex has a chance to filter results, so it is important to make the base search as specific as possible. An example using above requirements:

host=server0* | regex host="server0[3-6]"

lguinn2
Legend

Good point. I use regex a lot.

lguinn2
Legend

There is no equivalent in Splunk, sorry.

However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search

tag=Singapore

It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.

Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ

The documentation is here

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...