Solved: Re: Wildcards in search

mdavis43 · ‎09-19-2013

I need some help on the syntax of wildcards in the search. I have multiple servers and I don't want to keep using OR. For example I have "server01" through "server21" and I sometimes want to just pull out results for server3 through server6.

In Linux I can specify server0[3-6]. What is the Splunk equivalent?

lguinn2 · ‎09-19-2013

There is no equivalent in Splunk, sorry.

However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search

tag=Singapore

It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.

Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ

The documentation is here

View solution in original post

bwooden · ‎09-19-2013

Lisa's answer is a good approach.

Another way to solve this in the search language is to use the regex command.

Note, the base search pulls all events BEFORE regex has a chance to filter results, so it is important to make the base search as specific as possible. An example using above requirements:

host=server0* | regex host="server0[3-6]"

lguinn2 · ‎09-19-2013

Good point. I use regex a lot.

lguinn2 · ‎09-19-2013

There is no equivalent in Splunk, sorry.

However, you can tag your servers. For example, if you tag a set of servers (server03 to server06) as "Singapore" then you could search

tag=Singapore

It's a great way to do a variety of shortcuts for searches. Also, tags can be shared so that everyone on your team can use them.

Here's a video on tags: http://www.splunk.com/view/SP-CAAAGYJ

The documentation is here

Wildcards in search

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor